From bootc at bootc.net Wed Apr 1 10:07:26 2009 From: bootc at bootc.net (Chris Boot) Date: Wed, 01 Apr 2009 11:07:26 +0100 Subject: [rancid] Re: Adding a new device type In-Reply-To: <370BD08812250148A3EC9CFC41A6D60101772FCEEC@EXCHANGE1.orm.omniture.com> References: <49D1EB91.2000607@bootc.net> <370BD08812250148A3EC9CFC41A6D60101772FCEEC@EXCHANGE1.orm.omniture.com> Message-ID: <49D33CDE.60809@bootc.net> Mike, Many thanks! I have a set of working scripts now. Where do I send my patch? Cheers, Chris Mike Ashcraft wrote: > Chris, > > The quick basics: > > 1 -- Create an expect script similar to clogin that can connect to the device and run commands. You may be able to start with one of the existing *login scripts found in the bin directory, if they partially work on your device, to speed up the process. If you can find one that already works, use it. This would need to telnet in and the MikroTik interface is fairly simple. clogin might work for you with only minimal changes to address the format of the prompt. > > 2 -- create a perl script similar to rancid that uses the login expect script from the previous step to obtain the configuration and parse/sort it as needed to clean up the output. For example on the MikroTik this may just run the 'export' command and discard the login output and CLI prompt. > > 3 -- Add your new device type to rancid-fe > > 4 -- Setup the new devices in router.db using your new device type > > Good luck, > > Mike > > -----Original Message----- > From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Chris Boot > Sent: Tuesday, March 31, 2009 4:08 AM > To: rancid-discuss at shrubbery.net > Subject: [rancid] Adding a new device type > > All, > > I've just discovered RANCID after an entry on the SANS ISC blog > (http://isc.sans.org/diary.html?storyid=6100) - very nice tool. I've set > it up for our HP ProCurve switches (a mixture of 2810s and 2610s) and > after a small struggle it's working really nicely, so thanks. > > We also use several MikroTik routers around the company, so I wanted to > be able to add these to rancid. These aren't supported yet, so I wanted > to add support for them, but I haven't a clue where to start. Can anyone > give me a bit of an introduction please? Suffice to say they're nothing > like Ciscos or HPs with their own CLI accessible by SSH or Telnet so > they would need a whole new set of scripts to poll. > > Any hints would be really appreciated. > > Cheers, > Chris > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From asmirnoff at office.beeline.ru Wed Apr 1 06:33:23 2009 From: asmirnoff at office.beeline.ru (Smirnoff Alexander) Date: Wed, 1 Apr 2009 10:33:23 +0400 Subject: [rancid] Re: Who made changes? In-Reply-To: <20090331181314.GC4376@shrubbery.net> References: <546904b0903311016qc2cd291s4311ed6b38dc577b@mail.gmail.com> <20090331181314.GC4376@shrubbery.net> Message-ID: <986544234AB0A44BADE40DF502E2012A014C52F3@SPBMAIL.spb.sovintel.net> I am think about AAA for this question, and may be anybody have working scheme of this correlation? -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of john heasley Sent: Tuesday, March 31, 2009 10:13 PM To: Paul Buts Cc: rancid-discuss at shrubbery.net Subject: [rancid] Re: Who made changes? Tue, Mar 31, 2009 at 07:16:43PM +0200, Paul Buts: > Hi all, > > I installed Rancid in combination with FreeBSD CVSWeb on a Debian server. > Everything is working, great! > > There is only one thing I want to know: is it possible to show who made the > changes in telnet? At this moment the webpage is telling me that the unix > user (who runned Rancid) has made the changes. For example, I have more > telnet accounts. One for Paul and one for Peter. If Paul made one change, > and Peter made two changes, I want that the webpage is telling me exactly > who made a change. correlated changes to AAA command accounting records, the only reliable way. _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From bmahaffey at pelco.com Wed Apr 1 17:47:39 2009 From: bmahaffey at pelco.com (Mahaffey, Brian) Date: Wed, 1 Apr 2009 10:47:39 -0700 Subject: [rancid] ASA PIX Written by DIFFS Message-ID: <4BBAF403456ED74981E7164ED3A4C224010C9FFC@CA-EVS02.pelco.org> Hello, I get the following diff every rancid-run. Rancid Version 2.3.2a9 Just on the following devices ASA version 8.0(4) PIX version 8.0(4) & 7.2(4) Index: configs/b5-m-c5520.pelco.org =================================================================== retrieving revision 1.907 diff -U 4 -r1.907 b5-m-c5520.pelco.org @@ -64,9 +64,9 @@ ! ! config-register 0x1 : Saved - : Written by rancidbk at 00:23:03.433 PDT Wed Apr 1 2009 + : Written by rancidbk at 10:38:52.023 PDT Wed Apr 1 2009 ! ASA Version 8.0(4) ! hostname B5-M-C5520 I ran across this on the archives but I am unsure how to apply it and where. Any ideas would be appreciated! I think this change, not in 2.3.2a9, will fix this problem. Index: rancid.in =================================================================== RCS file: /home/rancid/.CVS/rancid/bin/rancid.in,v retrieving revision 1.251 retrieving revision 1.253 diff -d -u -r1.251 -r1.253 --- rancid.in 26 Nov 2008 17:43:41 -0000 1.251 +++ rancid.in 2 Feb 2009 21:40:14 -0000 1.253 @@ -1,6 +1,6 @@ #! @PERLV_PATH@ ## -## $Id: rancid.in,v 1.251 2008/11/26 17:43:41 heas Exp $ +## $Id: rancid.in,v 1.253 2009/02/02 21:40:14 heas Exp $ ## ## @PACKAGE@ @VERSION@ ## Copyright (c) 1997-2008 by Terrapin Communications, Inc. @@ -1522,6 +1522,7 @@ last if (/^$prompt/); return(1) if /Line has invalid autocommand /; return(1) if (/(Invalid input detected|Type help or )/i); + return(1) if /\%Error: No such file or directory/; return(0) if ($found_end); # Only do this routine once return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX @@ -1550,6 +1551,8 @@ # some versions have other crap mixed in with the bits in the # block above /^! (Last configuration|NVRAM config last)/ && next; + # and for the ASA + /^: (Written by \w+ at|Saved)/ && next; # skip consecutive comment lines to avoid oscillating extra comment # line on some access servers. grrr. @@ -1823,7 +1826,7 @@ next; } - /^Cryptochecksum:/ && next; + /^ *Cryptochecksum:/ && next; # catch anything that wasnt matched above. ProcessHistory("","","","$_"); Thank you, Brian Mahaffey Sr. Network Engineer Pelco (559) 292.1981 ext 5323 (559) 840.5686 Mobile AIM/GTALK/MSN: bmahaffey at gmail.com - ------------------------------------------------------------------------------ Confidentiality Notice: The information contained in this transmission is legally privileged and confidential, intended only for the use of the individual(s) or entities named above. This email and any files transmitted with it are the property of Pelco. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you receive this communication in error, please notify us immediately by telephone call to +1-559-292-1981 or forward the e-mail to administrator at pelco.com and then permanently delete the e-mail and destroy all soft and hard copies of the message and any attachments. Thank you for your cooperation. - ------------------------------------------------------------------------------ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090401/87009b11/attachment.html From heas at shrubbery.net Wed Apr 1 18:11:47 2009 From: heas at shrubbery.net (john heasley) Date: Wed, 1 Apr 2009 18:11:47 +0000 Subject: [rancid] Re: Who made changes? In-Reply-To: <986544234AB0A44BADE40DF502E2012A014C52F3@SPBMAIL.spb.sovintel.net> References: <546904b0903311016qc2cd291s4311ed6b38dc577b@mail.gmail.com> <20090331181314.GC4376@shrubbery.net> <986544234AB0A44BADE40DF502E2012A014C52F3@SPBMAIL.spb.sovintel.net> Message-ID: <20090401181147.GD7653@shrubbery.net> Wed, Apr 01, 2009 at 10:33:23AM +0400, Smirnoff Alexander: > I am think about AAA for this question, and may be anybody have working > scheme of this correlation? AAA command accounting logs the commands the user enters and the AAA server can save those with the username and a timestamp. those logs can be correlated with rancid diffs by the timestamp (cvs diff -D), though multiple changes may occur between diffs and only the end result will be caught. It'd seem that command accounting alone, or just exec start/stop accounting, would be sufficient to point fingers. > -----Original Message----- > From: rancid-discuss-bounces at shrubbery.net > [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of john heasley > Sent: Tuesday, March 31, 2009 10:13 PM > To: Paul Buts > Cc: rancid-discuss at shrubbery.net > Subject: [rancid] Re: Who made changes? > > Tue, Mar 31, 2009 at 07:16:43PM +0200, Paul Buts: > > Hi all, > > > > I installed Rancid in combination with FreeBSD CVSWeb on a Debian > server. > > Everything is working, great! > > > > There is only one thing I want to know: is it possible to show who > made the > > changes in telnet? At this moment the webpage is telling me that the > unix > > user (who runned Rancid) has made the changes. For example, I have > more > > telnet accounts. One for Paul and one for Peter. If Paul made one > change, > > and Peter made two changes, I want that the webpage is telling me > exactly > > who made a change. > > correlated changes to AAA command accounting records, the only reliable > way. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From daniel.medina at gmail.com Wed Apr 1 19:05:33 2009 From: daniel.medina at gmail.com (Daniel Medina) Date: Wed, 1 Apr 2009 15:05:33 -0400 Subject: [rancid] Re: Who made changes? In-Reply-To: <20090331181314.GC4376@shrubbery.net> References: <546904b0903311016qc2cd291s4311ed6b38dc577b@mail.gmail.com> <20090331181314.GC4376@shrubbery.net> Message-ID: <20090401190533.GA97460@monkey.local> On Tue, Mar 31, 2009 at 06:13:15PM +0000, john heasley wrote: > correlated changes to AAA command accounting records, the only reliable way. I'll add on more idea to this: proxy requests through a wrapper with authentication. Even if you have kit that doesn't support / use AAA, force changes to go through a wrapper which logs access and keystrokes. clogin provices a good starting point for this :) -- Daniel Medina From smunzani at comcast.net Wed Apr 1 20:41:09 2009 From: smunzani at comcast.net (Sam Munzani) Date: Wed, 01 Apr 2009 15:41:09 -0500 Subject: [rancid] Re: Who made changes? In-Reply-To: References: <546904b0903311016qc2cd291s4311ed6b38dc577b@mail.gmail.com> Message-ID: <49D3D165.302@comcast.net> K K wrote: > 2009/3/31 Paul Buts : > >> There is only one thing I want to know: is it possible to show who made the >> changes in telnet? At this moment the webpage is telling me that the unix >> user (who runned Rancid) has made the changes. For example, I have more >> telnet accounts. One for Paul and one for Peter. If Paul made one change, >> and Peter made two changes, I want that the webpage is telling me exactly >> who made a change. >> >> Any hints or keywords would be really appreciated. Thanks! >> > > If Paul makes one change at noon, then Peter logs in at 4PM and makes > two more, and then Rancid finally runs at 6PM, you'll get one change > email, showing the sum of all changes and (usually) showing that Peter > was the last one to make a change. > > One workaround to this is to enable SNMP traps and/or syslog on each > device, and tie you trapper/syslogger into your rancid server. > If the device you are dealing with is a cisco router or switch, it generates a trap when you do write mem. Set an action script for that OID that triggers rancid. At home I built a concept setup where I do this. Configure net-snmp's snmptrapd.conf so that for OID X it triggers rancid-run. This will ensure you are 100% up to date on the backup. I don't have access to my box now otherwise I could send you a sample snmptrapd.conf. Thanks, sam > I have mine configured such that syslog-ng writes all events related > to Cisco configuration changes to a directory change-events, into > files named for the source device and hour of the day. Then each hour > a cron job executes, reads the list of these files, and runs Rancid > against the specific devices found. At the end of the script, it > deletes any file in change-events older than 20 hours. > > This still won't catch every change by every user. For that, at least > on Cisco, you can enable per-command logging. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090401/e3d53d23/attachment.html From GeertJan.deGroot at xs4all.nl Wed Apr 1 21:42:11 2009 From: GeertJan.deGroot at xs4all.nl (Geert Jan de Groot) Date: Wed, 01 Apr 2009 23:42:11 +0200 Subject: [rancid] Re: Who made changes? In-Reply-To: Your message of "Tue, 31 Mar 2009 13:07:47 CDT." Message-ID: <200904012142.n31LgB9k029300@berserkly.xs4all.nl> On Tue, 31 Mar 2009 13:07:47 -0500 K K wrote: > > There is only one thing I want to know: is it possible to show who made the > > changes in telnet? > If Paul makes one change at noon, then Peter logs in at 4PM and makes > two more, and then Rancid finally runs at 6PM, you'll get one change > email, showing the sum of all changes and (usually) showing that Peter > was the last one to make a change. At the place where I hope to implement rancid (restrictions are political, not technical, as usual), the network is set up in such a way that operators do not have passwords of the devices they manage. They log in (with their own password) in a subsystem which, if allowed, will log in the operator automatically. Advantage is that if persons leave the company, they don't know passwords and no passwords need to be changed. Current line of thought is to have the logout event trigger a rancid run on the device people just logged into. Just another thought, Geert Jan From bmahaffey at pelco.com Wed Apr 1 22:00:53 2009 From: bmahaffey at pelco.com (Mahaffey, Brian) Date: Wed, 1 Apr 2009 15:00:53 -0700 Subject: [rancid] Re: Who made changes? In-Reply-To: <200904012142.n31LgB9k029300@berserkly.xs4all.nl> References: Your message of "Tue, 31 Mar 2009 13:07:47 CDT." <200904012142.n31LgB9k029300@berserkly.xs4all.nl> Message-ID: <4BBAF403456ED74981E7164ED3A4C224010CA04B@CA-EVS02.pelco.org> We utilize Rancid to do backups 1 time per night. Our NOC is pretty good at not changing configurations but I understand the need. You can modify the cron jobs to run every 1-5 minutes. We utilize Cisco ACS for AAA and see every command with accounting enabled on the switch/router/firewall etc from the reporting in ACS. We also configure Archive configuration that sends the commands typed to a syslog & log buffer just in case you have to troubleshoot you can go step by step back to fix the problem. As for passwords, we utilize user accounts and as they leave we disable their user account, depending on the type of device. Example Cisco Config for syslog archive log config logging enable logging size 500 notify syslog contenttype plaintext hidekeys path disk0:/backup.cfg maximum 14 (I think this triggers a backup on the configuration change or a wr mem to the disk0:/backup.cfg) ! Logging 10.10.10.10 ! Sh log 000282: Mar 13 11:07:06.621 PDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:Brian logged command:vlan 551 000283: Mar 13 11:07:09.853 PDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:Rod logged command:name B6-EAC 000284: Mar 13 11:07:11.505 PDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:John logged command:exit Same thing populates our syslog server Not sure if this will help you. -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Geert Jan de Groot Sent: Wednesday, April 01, 2009 2:42 PM To: rancid-discuss at shrubbery.net Subject: [rancid] Re: Who made changes? On Tue, 31 Mar 2009 13:07:47 -0500 K K wrote: > > There is only one thing I want to know: is it possible to show who made the > > changes in telnet? > If Paul makes one change at noon, then Peter logs in at 4PM and makes > two more, and then Rancid finally runs at 6PM, you'll get one change > email, showing the sum of all changes and (usually) showing that Peter > was the last one to make a change. At the place where I hope to implement rancid (restrictions are political, not technical, as usual), the network is set up in such a way that operators do not have passwords of the devices they manage. They log in (with their own password) in a subsystem which, if allowed, will log in the operator automatically. Advantage is that if persons leave the company, they don't know passwords and no passwords need to be changed. Current line of thought is to have the logout event trigger a rancid run on the device people just logged into. Just another thought, Geert Jan _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss - ------------------------------------------------------------------------------ Confidentiality Notice: The information contained in this transmission is legally privileged and confidential, intended only for the use of the individual(s) or entities named above. This email and any files transmitted with it are the property of Pelco. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you receive this communication in error, please notify us immediately by telephone call to +1-559-292-1981 or forward the e-mail to administrator at pelco.com and then permanently delete the e-mail and destroy all soft and hard copies of the message and any attachments. Thank you for your cooperation. - ------------------------------------------------------------------------------ From heas at shrubbery.net Wed Apr 1 22:05:06 2009 From: heas at shrubbery.net (john heasley) Date: Wed, 1 Apr 2009 22:05:06 +0000 Subject: [rancid] Re: Who made changes? In-Reply-To: <200904012142.n31LgB9k029300@berserkly.xs4all.nl> References: <200904012142.n31LgB9k029300@berserkly.xs4all.nl> Message-ID: <20090401220506.GZ7653@shrubbery.net> Wed, Apr 01, 2009 at 11:42:11PM +0200, Geert Jan de Groot: > On Tue, 31 Mar 2009 13:07:47 -0500 K K wrote: > > > There is only one thing I want to know: is it possible to show who made the > > > changes in telnet? > > If Paul makes one change at noon, then Peter logs in at 4PM and makes > > two more, and then Rancid finally runs at 6PM, you'll get one change > > email, showing the sum of all changes and (usually) showing that Peter > > was the last one to make a change. > > At the place where I hope to implement rancid (restrictions are > political, not technical, as usual), the network is set up > in such a way that operators do not have passwords of the devices > they manage. They log in (with their own password) in a subsystem > which, if allowed, will log in the operator automatically. > > Advantage is that if persons leave the company, they don't know passwords > and no passwords need to be changed. you can do that, at least for ciscos, with AAA and automate the change of the in-configuration/failsafe passwords, since the "in-config" passwords are only used when the AAA server is inaccessible. > Current line of thought is to have the logout event trigger a rancid run > on the device people just logged into. folks have done that; I think I mentioned it in the FAQ From bootc at bootc.net Thu Apr 2 08:32:15 2009 From: bootc at bootc.net (Chris Boot) Date: Thu, 02 Apr 2009 09:32:15 +0100 Subject: [rancid] Re: Adding a new device type In-Reply-To: <49D33CDE.60809@bootc.net> References: <49D1EB91.2000607@bootc.net> <370BD08812250148A3EC9CFC41A6D60101772FCEEC@EXCHANGE1.orm.omniture.com> <49D33CDE.60809@bootc.net> Message-ID: <49D4780F.6060908@bootc.net> All, I've attached the patch since Thunderbird seems to mangle tabs. HTH, Chris Chris Boot wrote: > Mike, > > Many thanks! I have a set of working scripts now. Where do I send my patch? > > Cheers, > Chris > > Mike Ashcraft wrote: > >> Chris, >> >> The quick basics: >> >> 1 -- Create an expect script similar to clogin that can connect to the device and run commands. You may be able to start with one of the existing *login scripts found in the bin directory, if they partially work on your device, to speed up the process. If you can find one that already works, use it. This would need to telnet in and the MikroTik interface is fairly simple. clogin might work for you with only minimal changes to address the format of the prompt. >> >> 2 -- create a perl script similar to rancid that uses the login expect script from the previous step to obtain the configuration and parse/sort it as needed to clean up the output. For example on the MikroTik this may just run the 'export' command and discard the login output and CLI prompt. >> >> 3 -- Add your new device type to rancid-fe >> >> 4 -- Setup the new devices in router.db using your new device type >> >> Good luck, >> >> Mike >> >> -----Original Message----- >> From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Chris Boot >> Sent: Tuesday, March 31, 2009 4:08 AM >> To: rancid-discuss at shrubbery.net >> Subject: [rancid] Adding a new device type >> >> All, >> >> I've just discovered RANCID after an entry on the SANS ISC blog >> (http://isc.sans.org/diary.html?storyid=6100) - very nice tool. I've set >> it up for our HP ProCurve switches (a mixture of 2810s and 2610s) and >> after a small struggle it's working really nicely, so thanks. >> >> We also use several MikroTik routers around the company, so I wanted to >> be able to add these to rancid. These aren't supported yet, so I wanted >> to add support for them, but I haven't a clue where to start. Can anyone >> give me a bit of an introduction please? Suffice to say they're nothing >> like Ciscos or HPs with their own CLI accessible by SSH or Telnet so >> they would need a whole new set of scripts to poll. >> >> Any hints would be really appreciated. >> >> Cheers, >> Chris >> _______________________________________________ >> Rancid-discuss mailing list >> Rancid-discuss at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss >> >> > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > -------------- next part -------------- A non-text attachment was scrubbed... Name: rancid-mikrotik.patch Type: text/x-patch Size: 27861 bytes Desc: not available Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090402/193704cd/attachment.bin From dante at thaumaturge.org Thu Apr 2 14:55:04 2009 From: dante at thaumaturge.org (=?ISO-8859-1?Q?=C5ge_Olai_Johnsen?=) Date: Thu, 2 Apr 2009 16:55:04 +0200 Subject: [rancid] Re: Who made changes? In-Reply-To: References: <546904b0903311016qc2cd291s4311ed6b38dc577b@mail.gmail.com> Message-ID: <9FEF778C-9609-4C59-ADD7-D5BE01C332D4@thaumaturge.org> Den 31. mars. 2009 kl. 20:07 skrev K K: > 2009/3/31 Paul Buts : >> >> Any hints or keywords would be really appreciated. Thanks! > > > I have mine configured such that syslog-ng writes all events related > to Cisco configuration changes to a directory change-events, into > files named for the source device and hour of the day. Then each hour > a cron job executes, reads the list of these files, and runs Rancid > against the specific devices found. At the end of the script, it > deletes any file in change-events older than 20 hours. > > This still won't catch every change by every user. For that, at least > on Cisco, you can enable per-command logging. Hi! Do you have any URL pointing to a similar setup? Looks like a perfect match for my rancid-configuration. -?ge From Aaron.Smith at sfmta.com Sat Apr 4 00:12:49 2009 From: Aaron.Smith at sfmta.com (Smith, Aaron) Date: Fri, 3 Apr 2009 17:12:49 -0700 Subject: [rancid] the expect problem Message-ID: Hello everyone, sorry to bother everyone with this, but I'm having a devil of a time getting around the expect bug...I've tried running the patch against my system, tried a new install using the posted expect and tcl from the rancid ftp server, but no luck, I still get the timeout. Would someone be so kind as to list out a working linux distribution, version, etc, and as well as if you used the posted source from the rancid ftp server or somewhere else? Even if I have to go back several versions, whatever it takes, and I'm currently using debian 5, but that is no matter, I need to get my rancid back!! Thanks Aaron -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090403/7ecc4e39/attachment.html From cgauthier at mapscu.com Sat Apr 4 00:30:40 2009 From: cgauthier at mapscu.com (Chris Gauthier) Date: Fri, 3 Apr 2009 17:30:40 -0700 Subject: [rancid] Re: the expect problem In-Reply-To: References: Message-ID: <0A9A5A2BC1C0A94C981AF5FCF2D2F338138FD9B8@mshin01.mapscu.com> You should do a search on the archives for my ubuntu patch. I don't think Ubuntu was patched originally. I am not sure if it is patched since 8.04LTS. Chris G. From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Smith, Aaron Sent: Friday, April 03, 2009 5:13 PM To: rancid-discuss at shrubbery.net Subject: [rancid] the expect problem Hello everyone, sorry to bother everyone with this, but I'm having a devil of a time getting around the expect bug...I've tried running the patch against my system, tried a new install using the posted expect and tcl from the rancid ftp server, but no luck, I still get the timeout. Would someone be so kind as to list out a working linux distribution, version, etc, and as well as if you used the posted source from the rancid ftp server or somewhere else? Even if I have to go back several versions, whatever it takes, and I'm currently using debian 5, but that is no matter, I need to get my rancid back!! Thanks Aaron -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090403/87423c2a/attachment.html From heas at shrubbery.net Sat Apr 4 06:59:00 2009 From: heas at shrubbery.net (john heasley) Date: Sat, 4 Apr 2009 06:59:00 +0000 Subject: [rancid] Re: the expect problem In-Reply-To: References: Message-ID: <20090404065900.GB13959@shrubbery.net> Fri, Apr 03, 2009 at 05:12:49PM -0700, Smith, Aaron: > Hello everyone, sorry to bother everyone with this, but I'm having a > devil of a time getting around the expect bug...I've tried running the > patch against my system, tried a new install using the posted expect and > tcl from the rancid ftp server, but no luck, I still get the timeout. > > > > Would someone be so kind as to list out a working linux distribution, > version, etc, and as well as if you used the posted source from the > rancid ftp server or somewhere else? use whatever linux you want. get the expect source that matches whatever tcl you have. apply the patch. make. install. and you're done. and, besides this being a good idea for all linux folks, other timeouts can occur, such as mismatched autoenable. i dont recall you having described the timeout. > Even if I have to go back several versions, whatever it takes, and I'm > currently using debian 5, but that is no matter, I need to get my rancid > back!! > > > > Thanks > > Aaron > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From bmahaffey at pelco.com Mon Apr 6 17:06:55 2009 From: bmahaffey at pelco.com (Mahaffey, Brian) Date: Mon, 6 Apr 2009 10:06:55 -0700 Subject: [rancid] Device removing and adding configuration on Diffs Message-ID: <4BBAF403456ED74981E7164ED3A4C224010CA1D4@CA-EVS02.pelco.org> Hello, I was wondering if anyone has ran into this issue. Version 2.3.2a9 On each rancid-run on this certain device the configuration gets removed and re-added from what the diff says but the configuration hasn't be touched. (forgive my wording not trying to put blame on rancid) For example Index: configs/6513.pelco.org =================================================================== retrieving revision 1.228 diff -U 4 -r1.228 6513.pelco.org @@ -5684,12 +5684,8 @@ NOTICE TO USERS ======================================================================== ===== This is an official computer system and is the property of Pelco. - It is for authorized users only. Unauthorized users are - prohibited. Users (authorized or unauthorized) have no explicit or - implicit expectation of privacy. Any or all uses of this system may be - subject to one or more of the following actions: interception, of other agencies, both domestic and foreign. By using this system, the user consents to these actions. Unauthorized or improper use of this system may result in administrative disciplinary action and civil and Next Poll Index: configs/6513.pelco.org =================================================================== retrieving revision 1.229 diff -U 4 -r1.229 6513.pelco.org @@ -5684,8 +5684,12 @@ NOTICE TO USERS ======================================================================== ===== This is an official computer system and is the property of Pelco. + It is for authorized users only. Unauthorized users are prohibited. + Users (authorized or unauthorized) have no explicit or implicit + expectation of privacy. Any or all uses of this system may be subject + to one or more of the following actions: interception, of other agencies, both domestic and foreign. By using this system, the user consents to these actions. Unauthorized or improper use of this system may result in administrative disciplinary action and civil and Thank you, Brian Mahaffey Sr. Network Engineer Pelco (559) 292.1981 ext 5323 (559) 840.5686 Mobile AIM/GTALK/MSN: bmahaffey at gmail.com - ------------------------------------------------------------------------------ Confidentiality Notice: The information contained in this transmission is legally privileged and confidential, intended only for the use of the individual(s) or entities named above. This email and any files transmitted with it are the property of Pelco. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you receive this communication in error, please notify us immediately by telephone call to +1-559-292-1981 or forward the e-mail to administrator at pelco.com and then permanently delete the e-mail and destroy all soft and hard copies of the message and any attachments. Thank you for your cooperation. - ------------------------------------------------------------------------------ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090406/0a3e145f/attachment.html From Bob.Brunette at cdw.com Tue Apr 7 18:13:01 2009 From: Bob.Brunette at cdw.com (Bob Brunette) Date: Tue, 7 Apr 2009 13:13:01 -0500 Subject: [rancid] Cisco Nexus support Message-ID: I have to begin backing up Cisco Nexus 5000 converged switches in the near future, and I see that version 2.3.2a9 includes some Nexus support, especially in the nxrancid script. I don't see anything in there for the FCoE and SAN stuff though. Is anybody else working on that yet? If not, I'll start digging into it. Any suggestions or requests for what to collect are welcome. Thanks, Bob Brunette Senior Network Engineer CDW?Hosting and Managed Services? 5520 Research Park Dr. Madison, WI? 53711 608.298.1506 - direct 608.298.3007 - fax bob.brunette at cdw.com From heas at shrubbery.net Wed Apr 8 02:03:24 2009 From: heas at shrubbery.net (john heasley) Date: Wed, 8 Apr 2009 02:03:24 +0000 Subject: [rancid] Re: Cisco Nexus support In-Reply-To: References: Message-ID: <20090408020324.GA24486@shrubbery.net> Tue, Apr 07, 2009 at 01:13:01PM -0500, Bob Brunette: > I have to begin backing up Cisco Nexus 5000 converged switches in the near future, and I see that version 2.3.2a9 includes some Nexus support, especially in the nxrancid script. I don't see anything in there for the FCoE and SAN stuff though. Is anybody else working on that yet? If not, I'll start digging into it. Any suggestions or requests for what to collect are welcome. > afaik, they're all based on the same cli, so it should work though it may not collect some info specific to those platforms. From dmosuna at gmail.com Wed Apr 8 08:57:47 2009 From: dmosuna at gmail.com (=?ISO-8859-1?Q?D=E9sir=E9_MOSUANLLEE?=) Date: Wed, 8 Apr 2009 12:57:47 +0400 Subject: [rancid] Problem with CVS repository Message-ID: <6e5045cc0904080157n1fbd739cg1721f05860ff607b@mail.gmail.com> Hi everyone, I've just install rancid for my company. For the moment, all has gone very well for me (adding devices, acessing the devices via telnet or ssh,i've make rancid run everyday at 1.00pm) but my problem is the web page (cvs repository). I see the CVSROOT and all my groups via the web page.When i access the configs of a group, /rancid/my_group/configs/Attic/, i've got deleted router in last log entry and i saw that the revision version is not updated at all althought there are changes everyday in the configs on this router. When i go into the logs, here the message i've got: cvs status: use `cvs add' to create an entry for `router_name' cvs add: Re-adding file `router_name' after dead revision 1.2. cvs add: use `cvs commit' to add this file permanently cvs remove: removed `router_name' Deleted router_name Thank you very much for your help -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090408/ecb9f624/attachment.html From Bob.Brunette at cdw.com Wed Apr 8 18:57:11 2009 From: Bob.Brunette at cdw.com (Bob Brunette) Date: Wed, 8 Apr 2009 13:57:11 -0500 Subject: [rancid] Re: Cisco Nexus support In-Reply-To: <20090408020324.GA24486@shrubbery.net> References: <20090408020324.GA24486@shrubbery.net> Message-ID: Yeah, it's the FCoE and SAN stuff that I'm specifically interested in. I'll begin building it into the nxrancid script. I can test it on my N5000, but don't currently have a N7000 to test it on. Would anybody be willing to test my modified nxrancid script on a N7000 until I have one of my very own? Thanks, Bob -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Tuesday, April 07, 2009 9:03 PM To: Bob Brunette Cc: rancid-discuss at shrubbery.net Subject: Re: [rancid] Cisco Nexus support Tue, Apr 07, 2009 at 01:13:01PM -0500, Bob Brunette: > I have to begin backing up Cisco Nexus 5000 converged switches in the near future, and I see that version 2.3.2a9 includes some Nexus support, especially in the nxrancid script. I don't see anything in there for the FCoE and SAN stuff though. Is anybody else working on that yet? If not, I'll start digging into it. Any suggestions or requests for what to collect are welcome. > afaik, they're all based on the same cli, so it should work though it may not collect some info specific to those platforms. From dmosuna at gmail.com Thu Apr 9 08:40:17 2009 From: dmosuna at gmail.com (=?ISO-8859-1?B?ROlzaXLp?=) Date: Thu, 9 Apr 2009 12:40:17 +0400 Subject: [rancid] Error in cvs repository Message-ID: <6e5045cc0904090140p7152ba9bg7a1f75d418e1de1@mail.gmail.com> Hello, I'm actually using cvs repository to show my configurations of my routers in rancid. I've got a message error when i tried to access the configurations of my router in Attic, telling me that my router is not(any longer) pertinent. When i go in the logs of rancid, there's the messages which appear : cvs status: use `cvs add' to create an entry for `router_name' cvs add: Re-adding file `router_name' after dead revision 1.2. cvs add: use `cvs commit' to add this file permanently cvs remove: removed `router_name' Deleted router_name Thank you very much for your help. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090409/8fa8702c/attachment.html From bedwards at vuefoto.com Thu Apr 9 16:47:21 2009 From: bedwards at vuefoto.com (Brent Edwards) Date: Thu, 9 Apr 2009 11:47:21 -0500 Subject: [rancid] Nortel / Bay howto Message-ID: I see this has been discussed a bit in the past on this list, but not seeing a clear direction. I have several Bay Stack 470-47T switches that I would like to run rancid against. My understanding is at this time rancid does not support these switches while the text based menu is being presented at login. It does appear that a patch has been written to help with this but according to some messages it has not been reliable. I apologize for my probably basic question here (I'm more familiar with Cisco gear), but my assumption is that if I can setup the switch to simply drop me into a CLI interface (i.e. no menu) at login that rancid will work just fine? Can any of you confirm this, and if so explain how that is accomplished. At the end of the day I'm just trying to get rancid to work against these Bay / Nortel switches, any help would be appreciated. Thanks in advance. -- Brent Edwards From heas at shrubbery.net Fri Apr 10 18:14:43 2009 From: heas at shrubbery.net (john heasley) Date: Fri, 10 Apr 2009 18:14:43 +0000 Subject: [rancid] Re: Nortel / Bay howto In-Reply-To: References: Message-ID: <20090410181443.GL3911@shrubbery.net> Thu, Apr 09, 2009 at 11:47:21AM -0500, Brent Edwards: > I see this has been discussed a bit in the past on this list, but not > seeing a clear direction. > > I have several Bay Stack 470-47T switches that I would like to run > rancid against. My understanding is at this time rancid does not > support these switches while the text based menu is being presented at > login. It does appear that a patch has been written to help with this > but according to some messages it has not been reliable. I apologize > for my probably basic question here (I'm more familiar with Cisco > gear), but my assumption is that if I can setup the switch to simply > drop me into a CLI interface (i.e. no menu) at login that rancid will > work just fine? Can any of you confirm this, and if so explain how > that is accomplished. > > At the end of the day I'm just trying to get rancid to work against > these Bay / Nortel switches, any help would be appreciated. I dont have any of these boxes, but a number of folks have posted about trying to get rancid working with them. I believe the most recent and closest was this thread: http://www.shrubbery.net/pipermail/rancid-discuss/2008-October/003340.html From mwilson at northwestern.edu Mon Apr 13 18:00:59 2009 From: mwilson at northwestern.edu (Matt Wilson) Date: Mon, 13 Apr 2009 13:00:59 -0500 Subject: [rancid] Support for Aruba devices In-Reply-To: References: Message-ID: <49E37DDB.9070103@northwestern.edu> Hi- Anyone out there successfully collecting from Aruba wireless controllers? Would you be willing to post/share your "arubarancid" and "arubalogin" scripts? It looks like the topic of collecting from Aruba wireless controllers pops up on the list from time to time, but when I did a google search for "site:shrubbery.net aruba", I did not see any scripts or success stories in the results. Thanks- Matt -- Matt Wilson Network Software Engineer, IT Telecomm and Network Services Northwestern University From brett.simpson at sykes.com Mon Apr 13 19:04:12 2009 From: brett.simpson at sykes.com (Simpson, Brett) Date: Mon, 13 Apr 2009 15:04:12 -0400 Subject: [rancid] Re: Support for Aruba devices In-Reply-To: <49E37DDB.9070103@northwestern.edu> References: <49E37DDB.9070103@northwestern.edu> Message-ID: I wrote some but haven't been able to get them to work through cron. If I manually run them they are ok. Haven't had a chance to work though some of the troubleshooting items from John Heasley. Hope to have some time this week to work on them again. I have attached my copies of the ones I'm using which are slightly modified from the cisco ones. From John Heasley but haven't had a chance to do yet: "looks like this this is confused by the terminal type. or, the terminal length to be exact. try sending a cmd to disable the pager. try setting ROWS and COLS in the environment from the rancid script." -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Matt Wilson Sent: Monday, April 13, 2009 2:01 PM To: rancid-discuss at shrubbery.net Subject: [rancid] Support for Aruba devices Hi- Anyone out there successfully collecting from Aruba wireless controllers? Would you be willing to post/share your "arubarancid" and "arubalogin" scripts? It looks like the topic of collecting from Aruba wireless controllers pops up on the list from time to time, but when I did a google search for "site:shrubbery.net aruba", I did not see any scripts or success stories in the results. Thanks- Matt -- Matt Wilson Network Software Engineer, IT Telecomm and Network Services Northwestern University _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: removed.txt Url: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090413/009121bb/attachment.txt -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: removed.txt Url: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090413/009121bb/attachment-0001.txt From andrew.brennan at drexel.edu Mon Apr 13 18:15:23 2009 From: andrew.brennan at drexel.edu (Andrew Brennan) Date: Mon, 13 Apr 2009 14:15:23 -0400 (EDT) Subject: [rancid] Re: Support for Aruba devices In-Reply-To: <49E37DDB.9070103@northwestern.edu> References: <49E37DDB.9070103@northwestern.edu> Message-ID: <20090413141213.I26023@dust.noc.drexel.edu> I haven't done it, but one issue is that their encrypted strings change between each run of "show configuration" even when the configuration is unaltered. andrew. On Mon, 13 Apr 2009, Matt Wilson wrote: > Hi- > > Anyone out there successfully collecting from Aruba wireless > controllers? Would you be willing to post/share your "arubarancid" and > "arubalogin" scripts? > > It looks like the topic of collecting from Aruba wireless controllers > pops up on the list from time to time, but when I did a google search > for "site:shrubbery.net aruba", I did not see any scripts or success > stories in the results. > > Thanks- > Matt > > -- > Matt Wilson > Network Software Engineer, IT Telecomm and Network Services > Northwestern University > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From mr.kania at yahoo.com Mon Apr 13 22:24:58 2009 From: mr.kania at yahoo.com (Michael Kania) Date: Mon, 13 Apr 2009 15:24:58 -0700 (PDT) Subject: [rancid] HP Procuves losing mangement interfaces Message-ID: <623490.49564.qm@web82001.mail.mud.yahoo.com> All, I've been having a problem with a subset of switches periodically losing their management interfaces. We have 3 data centers set up within the united states and only 1 is having this problem. The problem data center is unique in that it is our largest(roughly ~110 hp procurve 2810s) and CPU usage on each switch averages 35-45%. The servers behind each switch remain connected while the management interface is down. Pinging, snmpget and ssh all fail. The downed management interface on the switch eventually recovers and logs don't show any sign of failure. The rancid logs show a timeout when trying to contact that switch and then 3 failures to ssh. I've found that when rancid polls the switch CPU usage spikes dramatically, and my assumption was that the seviere spikes in CPU utilization causes the management interface to fall over. So mitigate against this, Ive turned down the number of retries and the polling interval, but the problem still remains. Anyone familiar with this issue? Im using rancid version : 2.3.2~a9 on debian etch Thanks, Mike Kania -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090413/82a800f9/attachment.html From heas at shrubbery.net Mon Apr 13 23:17:40 2009 From: heas at shrubbery.net (john heasley) Date: Mon, 13 Apr 2009 23:17:40 +0000 Subject: [rancid] Re: HP Procuves losing mangement interfaces In-Reply-To: <623490.49564.qm@web82001.mail.mud.yahoo.com> References: <623490.49564.qm@web82001.mail.mud.yahoo.com> Message-ID: <20090413231740.GK7603@shrubbery.net> Mon, Apr 13, 2009 at 03:24:58PM -0700, Michael Kania: > All, > > I've been having a problem with a subset of switches periodically losing their management interfaces. We have 3 data centers set up within the united states and only 1 is having this problem. The problem data center is unique in that it is our largest(roughly ~110 hp procurve 2810s) and CPU usage on each switch averages 35-45%. The servers behind each switch remain connected while the management interface is down. Pinging, snmpget and ssh all fail. The downed management interface on the switch eventually recovers and logs don't show any sign of failure. > > The rancid logs show a timeout when trying to contact that switch and then 3 failures to ssh. I've found that when rancid polls the switch CPU usage spikes dramatically, and my assumption was that the seviere spikes in CPU utilization causes the management interface to fall over. So mitigate against this, Ive turned down the number of retries and the polling interval, but the problem still remains. Anyone familiar with this issue? > > Im using rancid version : 2.3.2~a9 on debian etch > > Thanks, > Mike Kania > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss sounds like either a switch s/w bug or some over-zealous rate limiting. it is true that running rancid against any of the network devices will use cpu, a little more than a human running the same commands, but it shouldnt make the device fail. if it does, its the vendor's bug. From jody at ask4.com Tue Apr 14 08:55:56 2009 From: jody at ask4.com (Jody Botham) Date: Tue, 14 Apr 2009 09:55:56 +0100 Subject: [rancid] Re: HP Procuves losing mangement interfaces In-Reply-To: <623490.49564.qm@web82001.mail.mud.yahoo.com> References: <623490.49564.qm@web82001.mail.mud.yahoo.com> Message-ID: <49E44F9C.5010705@ask4.com> Michael Kania wrote: > All, > > I've been having a problem with a subset of switches periodically losing > their management interfaces. We have 3 data centers set up within the > united states and only 1 is having this problem. The problem data center > is unique in that it is our largest(roughly ~110 hp procurve 2810s) and > CPU usage on each switch averages 35-45%. The servers behind each switch > remain connected while the management interface is down. Pinging, > snmpget and ssh all fail. The downed management interface on the switch > eventually recovers and logs don't show any sign of failure. > > The rancid logs show a timeout when trying to contact that switch and > then 3 failures to ssh. I've found that when rancid polls the switch CPU > usage spikes dramatically, and my assumption was that the seviere spikes > in CPU utilization causes the management interface to fall over. So > mitigate against this, Ive turned down the number of retries and the > polling interval, but the problem still remains. Anyone familiar with > this issue? > > Im using rancid version : 2.3.2~a9 on debian etch > > Thanks, > Mike Kania > > > ------------------------------------------------------------------------ > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss What's the exact model of 2810 and what firmware are you running? We've had similar issues with ProCurve kit (different model of switch but I think the 2810 may have the same ASIC) recently and worked with them to resolve the bug in their firmware. You can mail me off list if you need to. Thanks, Jody From mgtiongco at powernet.com.ph Tue Apr 14 11:35:51 2009 From: mgtiongco at powernet.com.ph (Ma-Le G. Tiongco) Date: Tue, 14 Apr 2009 19:35:51 +0800 Subject: [rancid] Riverstone Router (and Enterasys 8600s, anyone?) Message-ID: <004601c9bcf5$2deb1400$89c13c00$@com.ph> Good day to you! I just have a question about riverstone 8600 serial module (4 port) and enterasys 8600 serial module.. Are they interchangeable? Can I use the serial module of Enterasys with Riverstone? Thanks Ma-le G. Tiongco PowerNet Systems Corporation Telephone No. 632 421 6182 or 83 loc 105 Fax No. 632 421 6197 loc 102 Mobile No. 63918 8009789 what we have done for ourselves alone dies with us; what we have done for others and the world remains and is immortal." -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090414/226c4eb8/attachment.html From paul at paulbuts.nl Wed Apr 15 13:36:18 2009 From: paul at paulbuts.nl (Paul Buts) Date: Wed, 15 Apr 2009 15:36:18 +0200 Subject: [rancid] Upload configs by webinterface? Message-ID: <546904b0904150636l612243a9sed731106174b4810@mail.gmail.com> Hi all, My situation: Unix Debian, RANCID, CVSweb, Cisco devices and Apache2. Is it possible to implement an upload script in the CVSweb page to upload Cisco configs to routers? If there are wrong changes, I want to restore them by web interface. Something like a restore button. Do you guys know if thats possible? I can make something with Shell, Expect and a TFTP server. My biggest problem is only how to implement it in the CVS webpage. Any hints or keywords would be really appreciated. Thanks! Cheers, Paul -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090415/fa5e969e/attachment.html From heas at shrubbery.net Wed Apr 15 18:25:38 2009 From: heas at shrubbery.net (john heasley) Date: Wed, 15 Apr 2009 11:25:38 -0700 Subject: [rancid] Re: Upload configs by webinterface? In-Reply-To: <546904b0904150636l612243a9sed731106174b4810@mail.gmail.com> References: <546904b0904150636l612243a9sed731106174b4810@mail.gmail.com> Message-ID: <20090415182538.GM28321@shrubbery.net> Wed, Apr 15, 2009 at 03:36:18PM +0200, Paul Buts: > Hi all, > > My situation: > Unix Debian, RANCID, CVSweb, Cisco devices and Apache2. > > Is it possible to implement an upload script in the CVSweb page to upload > Cisco configs to routers? If there are wrong changes, I want to restore them > by web interface. Something like a restore button. Do you guys know if thats > possible? difficult, unless you run ION; or copy file startup reload given the way the parser works. > I can make something with Shell, Expect and a TFTP server. My biggest > problem is only how to implement it in the CVS webpage. > > Any hints or keywords would be really appreciated. Thanks! > > Cheers, > Paul > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From heas at shrubbery.net Thu Apr 16 00:03:22 2009 From: heas at shrubbery.net (john heasley) Date: Wed, 15 Apr 2009 17:03:22 -0700 Subject: [rancid] Re: Upload configs by webinterface? In-Reply-To: <20090415182538.GM28321@shrubbery.net> References: <546904b0904150636l612243a9sed731106174b4810@mail.gmail.com> <20090415182538.GM28321@shrubbery.net> Message-ID: <20090416000322.GA3452@shrubbery.net> Wed, Apr 15, 2009 at 11:25:38AM -0700, john heasley: > Wed, Apr 15, 2009 at 03:36:18PM +0200, Paul Buts: > > Hi all, > > > > My situation: > > Unix Debian, RANCID, CVSweb, Cisco devices and Apache2. > > > > Is it possible to implement an upload script in the CVSweb page to upload > > Cisco configs to routers? If there are wrong changes, I want to restore them > > by web interface. Something like a restore button. Do you guys know if thats > > possible? > > difficult, unless you run ION; or Sorry, I meant IOX, which IIRC has the juniper-like configuration merging features. > copy file startup > reload > > given the way the parser works. > > > I can make something with Shell, Expect and a TFTP server. My biggest > > problem is only how to implement it in the CVS webpage. > > > > Any hints or keywords would be really appreciated. Thanks! > > > > Cheers, > > Paul > > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From meskander at perimeterwatch.com Thu Apr 16 15:38:45 2009 From: meskander at perimeterwatch.com (Mina Eskander) Date: Thu, 16 Apr 2009 11:38:45 -0400 Subject: [rancid] Re: Rancid with Fortigate Devices? Message-ID: Has anybody made progress with this? I set up a new rancid server and did a fnrancid with the following output. [rancid at pwcolocacti ~]$ bin/fnrancid -d pwcolofgt100c executing nlogin -t 90 -c"get system status;get conf" pwcolofgt100c pwcolofgt100c nlogin error: Error: TIMEOUT reached pwcolofgt100c nlogin error: Error: TIMEOUT reached pwcolofgt100c: missed cmd(s): get conf,get system status pwcolofgt100c: missed cmd(s): get conf,get system status 0: found end pwcolofgt100c: End of run not found pwcolofgt100c: End of run not found not really sure if it's because of a regex problem or the commands or what, I would appreciate any help with this. Mina Eskander Perimeterwatch Technologies Direct: +1 (347) 448-2845 Mobile: +1 (347) 510-4102 meskander at perimeterwatch.com Network Security | Disaster Recovery | Business Continuity | IT Projects | Application Development _____________________________________________________________________ New York: (347) 448-2845 - 34-12 36th Street - 2nd Floor - Astoria, NY 11106 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090416/49db7757/attachment.html From rhys.evans at Redblade.co.uk Thu Apr 16 16:14:31 2009 From: rhys.evans at Redblade.co.uk (Rhys Evans) Date: Thu, 16 Apr 2009 17:14:31 +0100 Subject: [rancid] Rancid New Router Type Message-ID: <6830B5350FF4CA408E0C89A7FA1EDF8B8A8E934F56@EXBE01.domain.local> Hi I am relatively new to Rancid, and am looking for some help on adding a new router type. I have Rancid up and running for our Cisco and HP devices with no issues. Now back to the question. I would like to create a new device type for draytek (I know not great but we do have a few of them) routers . Please bear with me regarding my coding I'm not a programmer, I am also aware I have removed some of the checks etc. I will look at bring those in once I can get the config out putting fine. Now what I have managed to do is the following: 1) Edited rancid-fe and added the line "'draytek' => 'drancid'," in the vendor table (This seems to be working fine) 2) Hacked the clogin script and renamed it to dlogin. This again seems to be working as it logs into the router and I can enter commands and see the expected output (see end for script) 3) I have now created drancid which is a hack of rancid. This is where I am having my issue (see end for script) a. Now when I run "dlogin -d -c 'sys version;sys iface' 79.14.24.56 > debugoutput 2>&1" I get the following output (which is what I am expecting) ++++++++++++++++++++++++++++++++++++++++ dlogin -d -c 'sys version;sys iface' 79.14.24.56 > debugoutput 2>&1 79.14.24.56 Trying 79.14.24.56... Connected to 79.14.24.56.rdns.as8401.net (79.14.24.56). Escape character is '^]'. Password: ********** Type ? for command help > > > sys version Router Model: Vigor3100 series Version: v2.7.1 English Profile version: 0x2 Status: 1 (0xcd0a7a2) Router IP: 192.168.2.1 Netmask: 255.255.255.0 Firmware Build Date/Time: Wed Nov 29 16:32:4.45 2006 Revision: 173 ADSL Firmware Version: R308_1 Annex B > sys iface Interface 0 Ethernet: Status: UP IP Address: 192.168.2.1 Netmask: 0xFFFFFF00 (Private) IP Address: 79.14.24.56 Netmask: 0xFFFFFFF8 MAC: 00-50-7F-B7-5C-C8 Interface 3 PPPoE: Status: UP IP Address: 79.14.24.56 Netmask: 0xFFFFFFFF MAC: 00-50-7F-B7-5C-C9 > quitConnection closed by foreign host. ++++++++++++++++++++++++++++++++++++++++++ b. The issue now comes in when I run "drancid -d 79.14.24.56". I don't get the output I expect. I get the following. I suspect this is something to do with the commands in the commandtable calling the subs, I could be totally wrong here. (By the way I'm not looking for formatting at the moment just looking for some output) ++++++++++++++++++++++++++++++++++++++++++ drancid -d 79.14.24.56 executing dlogin -t 30 -c"sys version;sys iface" 79.14.24.56 79.14.24.56: missed cmd(s): sys version,sys iface 79.14.24.56: missed cmd(s): sys version,sys iface 79.14.24.56.new (output) !RANCID-CONTENT-TYPE: draytek ! ! ! ! ! +++++++++++++++++++++++++++++++++++++++++++ Any help with this would be greatly appreciated Thanks Scripts ++++++++++++++++++++++++++++++++++++++++++++++ dlogin #! /usr/bin/expect -- # # dlogin - draytek login # # Usage line set usage "Usage: $argv0 \[-dV\] \[-autoenable\] \[-noenable\] \[-c command\] \ \[-Evar=x\] \[-e enable-password\] \[-f cloginrc-file\] \[-p user-password\] \ \[-s script-file\] \[-t timeout\] \[-u username\] \ \[-v vty-password\] \[-w enable-username\] \[-x command-file\] \ \[-y ssh_cypher_type\] router \[router...\]\n" # env(CLOGIN) may contain: # x == do not set xterm banner or name # Password file set password_file $env(HOME)/.cloginrc # Default is to login to the router set do_command 0 set do_script 0 # The default is to automatically enable set avenable 1 # The default is that you login non-enabled (tacacs can have you login already # enabled) set avautoenable 0 # The default is to look in the password file to find the passwords. This # tracks if we receive them on the command line. set do_passwd 1 set do_enapasswd 1 # attempt at platform switching. set platform "" # set send_human {.2 .1 .4 .2 1} # Find the user in the ENV, or use the unix userid. if {[ info exists env(CISCO_USER) ]} { set default_user $env(CISCO_USER) } elseif {[ info exists env(USER) ]} { set default_user $env(USER) } elseif {[ info exists env(LOGNAME) ]} { set default_user $env(LOGNAME) } else { # This uses "id" which I think is portable. At least it has existed # (without options) on all machines/OSes I've been on recently - # unlike whoami or id -nu. if [ catch {exec id} reason ] { send_error "\nError: could not exec id: $reason\n" exit 1 } regexp {\(([^)]*)} "$reason" junk default_user } if {[ info exists env(CLOGINRC) ]} { set password_file $env(CLOGINRC) } # Sometimes routers take awhile to answer (the default is 10 sec) set timeout 45 # Process the command line for {set i 0} {$i < $argc} {incr i} { set arg [lindex $argv $i] switch -glob -- $arg { # Expect debug mode -d* { exp_internal 1 # Username } -u* - -U* { if {! [ regexp .\[uU\](.+) $arg ignore user]} { incr i set username [ lindex $argv $i ] } # VTY Password } -p* - -P* { if {! [ regexp .\[pP\](.+) $arg ignore userpasswd]} { incr i set userpasswd [ lindex $argv $i ] } set do_passwd 0 # VTY Password } -v* { if {! [ regexp .\[vV\](.+) $arg ignore passwd]} { incr i set passwd [ lindex $argv $i ] } set do_passwd 0 # Version string } -V* { send_user "rancid 2.3.2a9\n" exit 0 # Enable Username } -w* - -W* { if {! [ regexp .\[wW\](.+) $arg ignore enauser]} { incr i set enausername [ lindex $argv $i ] } # Environment variable to pass to -s scripts } -E* { if {[ regexp .\[E\](.+)=(.+) $arg ignore varname varvalue]} { set E$varname $varvalue } else { send_user "\nError: invalid format for -E in $arg\n" exit 1 } # Enable Password } -e* { if {! [ regexp .\[e\](.+) $arg ignore enapasswd]} { incr i set enapasswd [ lindex $argv $i ] } set do_enapasswd 0 # Command to run. } -c* - -C* { if {! [ regexp .\[cC\](.+) $arg ignore command]} { incr i set command [ lindex $argv $i ] } set do_command 1 # Expect script to run. } -s* - -S* { if {! [ regexp .\[sS\](.+) $arg ignore sfile]} { incr i set sfile [ lindex $argv $i ] } if { ! [ file readable $sfile ] } { send_user "\nError: Can't read $sfile\n" exit 1 } set do_script 1 # 'ssh -c' cypher type } -y* - -Y* { if {! [ regexp .\[eE\](.+) $arg ignore cypher]} { incr i set cypher [ lindex $argv $i ] } # alternate cloginrc file } -f* - -F* { if {! [ regexp .\[fF\](.+) $arg ignore password_file]} { incr i set password_file [ lindex $argv $i ] } # Timeout } -t* - -T* { if {! [ regexp .\[tT\](.+) $arg ignore timeout]} { incr i set timeout [ lindex $argv $i ] } # Command file } -x* - -X { if {! [ regexp .\[xX\](.+) $arg ignore cmd_file]} { incr i set cmd_file [ lindex $argv $i ] } if [ catch {set cmd_fd [open $cmd_file r]} reason ] { send_user "\nError: $reason\n" exit 1 } set cmd_text [read $cmd_fd] close $cmd_fd set command [join [split $cmd_text \n] \;] set do_command 1 # Do we enable? } -noenable { set avenable 0 # Does tacacs automatically enable us? } -autoenable { # hp does not autoenable set autoenable 1 set avenable 0 } -* { send_user "\nError: Unknown argument! $arg\n" send_user $usage exit 1 } default { break } } } # Process routers...no routers listed is an error. if { $i == $argc } { send_user "\nError: $usage" } # Only be quiet if we are running a script (it can log its output # on its own) if { $do_script } { log_user 0 } else { log_user 1 } # # Done configuration/variable setting. Now run with it... # # Sets Xterm title if interactive...if its an xterm and the user cares proc label { host } { global env # if CLOGIN has an 'x' in it, don't set the xterm name/banner if [info exists env(CLOGIN)] { if {[string first "x" $env(CLOGIN)] != -1} { return } } # take host from ENV(TERM) if [info exists env(TERM)] { if [regexp \^(xterm|vs) $env(TERM) ignore ] { send_user "\033]1;[lindex [split $host "."] 0]\a" send_user "\033]2;$host\a" } } } # This is a helper function to make the password file easier to # maintain. Using this the password file has the form: # add password sl* pete cow # add password at* steve # add password * hanky-pie proc add {var args} { global int_$var ; lappend int_$var $args} proc include {args} { global env regsub -all "(^{|}$)" $args {} args if { [ regexp "^/" $args ignore ] == 0 } { set args $env(HOME)/$args } source_password_file $args } proc find {var router} { upvar int_$var list if { [info exists list] } { foreach line $list { if { [string match [lindex $line 0] $router ] } { return [lrange $line 1 end] } } } return {} } # Loads the password file. Note that as this file is tcl, and that # it is sourced, the user better know what to put in there, as it # could install more than just password info... I will assume however, # that a "bad guy" could just as easy put such code in the clogin # script, so I will leave .cloginrc as just an extention of that script proc source_password_file { password_file } { global env if { ! [file exists $password_file] } { send_user "\nError: password file ($password_file) does not exist\n" exit 1 } file stat $password_file fileinfo if { [expr ($fileinfo(mode) & 007)] != 0000 } { send_user "\nError: $password_file must not be world readable/writable\n" exit 1 } if [ catch {source $password_file} reason ] { send_user "\nError: $reason\n" exit 1 } } # Log into the router. # returns: 0 on success, 1 on failure proc login { router user userpswd passwd enapasswd cmethod cyphertype } { global spawn_id in_proc do_command do_script platform global prompt u_prompt p_prompt e_prompt sshcmd set in_proc 1 # try each of the connection methods in $cmethod until one is successful set progs [llength $cmethod] foreach prog [lrange $cmethod 0 end] { incr progs -1 regexp {(telnet|ssh)(:([^[:space:]]+))*} $prog command suffix junk port if [string match "telnet*" $prog] { if {"$port" == ""} { set retval [ catch {spawn telnet $router} reason ] } else { set retval [ catch {spawn telnet $router $port} reason ] } if { $retval } { send_user "\nError: telnet failed: $reason\n" return 1 } } elseif [string match "ssh*" $prog] { if {"$port" == ""} { set retval [ catch {spawn $sshcmd -c $cyphertype -x -l $user $router} reason ] } else { set retval [ catch {spawn $sshcmd -c $cyphertype -p $port -x -l $user $router} reason ] } if { $retval } { send_user "\nError: $sshcmd failed: $reason\n" return 1 } } elseif ![string compare $prog "rsh"] { send_error "\nError: unsupported method: rsh\n" if { $progs == 0 } { return 1 } continue; } else { send_user "\nError: unknown connection method: $prog\n" return 1 } sleep 0.3 # This helps cleanup each expect clause. expect_after { timeout { send_user "\nError: TIMEOUT reached\n" catch {close}; catch {wait}; if { $in_proc} { return 1 } else { continue } } eof { send_user "\nError: EOF received\n" catch {close}; catch {wait}; if { $in_proc} { return 1 } else { continue } } } # Here we get a little tricky. There are several possibilities: # the router can ask for a username and passwd and then # talk to the TACACS server to authenticate you, or if the # TACACS server is not working, then it will use the enable # passwd. Or, the router might not have TACACS turned on, # then it will just send the passwd. # if telnet fails with connection refused, try ssh expect { "Press any key to continue" { send " " exp_continue } -re "(Connection refused|Secure connection \[^\n\r]+ refused|Connection closed by)" { catch {close}; catch {wait}; if !$progs { send_user "\nError: Connection Refused ($prog)\n"; return 1 } } "Host is unreachable" { catch {close}; catch {wait}; send_user "\nError: Host Unreachable!\n"; wait; return 1 } "No address associated with name" { catch {close}; catch {wait}; send_user "\nError: Unknown host\n"; wait; return 1 } -re "(Host key not found |The authenticity of host .* be established).*\(yes\/no\)\?" { send "yes\r" send_user "\nHost $router added to the list of known hosts.\n" exp_continue } -re "HOST IDENTIFICATION HAS CHANGED.* \(yes\/no\)\?" { send "no\r" send_user "\nError: The host key for $router has changed. Update the SSH known_hosts file accordingly.\n" return 1 } -re "Offending key for .* \(yes\/no\)\?" { send "no\r" send_user "\nError: host key mismatch for $router. Update the SSH known_hosts file accordingly.\n" return 1 } eof { send_user "\nError: Couldn't login\n"; wait; return 1 } -nocase "unknown host\r" { catch {close}; catch {wait}; send_user "\nError: Unknown host\n"; wait; return 1 } -re "$u_prompt" { send -- "$user\r" expect { eof { send_user "\nError: Couldn't login\n"; wait; return 1 } "Login invalid" { send_user "\nError: Invalid login\n"; catch {close}; catch {wait}; return 1 } -re "$p_prompt" { send -- "$userpswd\r" } "$prompt" { set in_proc 0; return 0 } "Press any key to continue" { send " " exp_continue } } exp_continue } -re "$p_prompt" { if ![string compare $prog "ssh"] { send -- "$userpswd\r" } else { send -- "$passwd\r" } expect { eof { send_user "\nError: Couldn't login\n"; wait; return 1 } "Press any key to continue" { send " "; exp_continue } -re "$e_prompt" { send -- "$enapasswd\r" } "$prompt" { set in_proc 0; return 0 } } exp_continue } "$prompt" { break; } denied { send_user "\nError: Check your passwd for $router\n" catch {close}; catch {wait}; return 1 } "% Bad passwords" {send_user "\nError: Check your passwd for $router\n"; return 1 } } } set in_proc 0 return 0 } # Enable proc do_enable { enauser enapasswd } { global prompt in_proc global u_prompt e_prompt set in_proc 1 send "enable\r" expect { -re "$u_prompt" { send -- "$enauser\r"; exp_continue} -re "$e_prompt" { send -- "$enapasswd\r"; exp_continue} ">" { set prompt ">" } "(enable)" { set prompt "# (enable) " } denied { send_user "\nError: Check your Enable passwd\n"; return 1} "% Bad passwords" { send_user "\nError: Check your Enable passwd\n" return 1 } } # We set the prompt variable (above) so script files don't need # to know what it is. set in_proc 0 return 0 } # Run commands given on the command line. proc run_commands { prompt command } { global in_proc platform set in_proc 1 # Turn off the pager and escape regex meta characters in the $prompt #send "no page\r" send "\r" regsub -all {[)(]} $prompt {\\&} reprompt regsub -all {^(.{1,11}).*([#>])$} $reprompt {\1([^#>\r\n]+)?[#>](\\([^)\\r\\n]+\\))?} reprompt expect { -re $reprompt {} -re "\[\n\r]+" { exp_continue } } # this is the only way i see to get rid of more prompts in o/p..grrrrr log_user 0 set commands [split $command \;] set num_commands [llength $commands] # if the pager can not be turned off, we have to look for the "More" # prompt. for {set i 0} {$i < $num_commands} { incr i} { send -- "[subst -nocommands [lindex $commands $i]]\r" expect { -re "^\[^\n\r *]*$reprompt" { catch {send_user -- "$expect_out(buffer)"} } -re "^\[^\n\r]*$reprompt." { catch {send_user -- "$expect_out(buffer)"} exp_continue } -re "\[\n\r]+" { catch {send_user -- "$expect_out(buffer)"} exp_continue } -re "\[^\r\n]*Press to cont\[^\r\n]*" { send " " expect { # gag, 2 more prompts -re "\[\r\n]*\r" {} -re "\[^\r\n]*Press to cont\[^\r\n]*" { catch {send " "}; exp_continue } } exp_continue } -re "^<-+ More -+>\[^\n\r]*" { catch {send " "} exp_continue } -re "^-+ MORE -+\[^\n\r]*" { catch {send " "} exp_continue } # 3 flavours of the more prompt, first -More-, then --More-- (for # cisco/riverhead AGM), then with more dashes. -re "^-More-\[^\n\r-]*" { catch {send " "} exp_continue } -re "^--More--\[^\n\r-]*" { catch {send " "} exp_continue } -re "^---+More---+\[^\n\r]*" { catch {send " "} exp_continue } -re "\b+" { exp_continue } } } log_user 1 send -h "quit\r" expect { "quitConnection closed by foreign host" { catch {close} return 0 } "Do you want to save current configuration" { catch {send "n\r"} exp_continue } "Do you wish to save " { catch {send "n\r"} exp_continue } "Do you want to log out" { catch {send "y\r"} exp_continue } -re "\[\r\n]+" { exp_continue } -re "^.+> " { catch {send -h "quit\r"} exp_continue } timeout { catch {close}; catch {wait}; return 0 } eof { return 0 } } set in_proc 0 } # # For each router... (this is main loop) # source_password_file $password_file set in_proc 0 set exitval 0 foreach router [lrange $argv $i end] { set router [string tolower $router] send_user "$router\n" # Figure out prompt. # Since autoenable is off by default, if we have it defined, it # was done on the command line. If it is not specifically set on the # command line, check the password file. if $avautoenable { set autoenable 1 set enable 0 set prompt ">" } else { set ae [find autoenable $router] if { "$ae" == "1" } { set autoenable 1 set enable 0 set prompt "#" } else { set autoenable 0 set enable $avenable set prompt ">" } } # look for noenable option in .cloginrc if { [find noenable $router] != "" } { set enable 0 } # Figure out passwords if { $do_passwd || $do_enapasswd } { set pswd [find password $router] if { [llength $pswd] == 0 } { send_user "\nError: no password for $router in $password_file.\n" continue } if { $enable && $do_enapasswd && $autoenable == 0 && [llength $pswd] < 2 } { send_user "\nError: no enable password for $router in $password_file.\n" continue } set passwd [join [lindex $pswd 0] ""] set enapasswd [join [lindex $pswd 1] ""] } else { set passwd $userpasswd set enapasswd $enapasswd } # Figure out username if {[info exists username]} { # command line username set ruser $username } else { set ruser [join [find user $router] ""] if { "$ruser" == "" } { set ruser $default_user } } # Figure out username's password (if different from the vty password) if {[info exists userpasswd]} { # command line username set userpswd $userpasswd } else { set userpswd [join [find userpassword $router] ""] if { "$userpswd" == "" } { set userpswd $passwd } } # Figure out enable username if {[info exists enausername]} { # command line enausername set enauser $enausername } else { set enauser [join [find enauser $router] ""] if { "$enauser" == "" } { set enauser $ruser } } # Figure out prompts set u_prompt [find userprompt $router] if { "$u_prompt" == "" } { set u_prompt "(Username|login|user name):" } else { set u_prompt [join [lindex $u_prompt 0] ""] } set p_prompt [find passprompt $router] if { "$p_prompt" == "" } { set p_prompt "(\[Pp]assword|passwd):" } else { set p_prompt [join [lindex $p_prompt 0] ""] } set e_prompt [find enableprompt $router] if { "$e_prompt" == "" } { set e_prompt "\[Pp]assword:" } else { set e_prompt [join [lindex $e_prompt 0] ""] } # Figure out cypher type if {[info exists cypher]} { # command line cypher type set cyphertype $cypher } else { set cyphertype [find cyphertype $router] if { "$cyphertype" == "" } { set cyphertype "3des" } } # Figure out connection method set cmethod [find method $router] if { "$cmethod" == "" } { set cmethod {{telnet} {ssh}} } # Figure out the SSH executable name set sshcmd [find sshcmd $router] if { "$sshcmd" == "" } { set sshcmd {ssh} } # Login to the router if {[login $router $ruser $userpswd $passwd $enapasswd $cmethod $cyphertype]} { incr exitval continue } if { $enable } { if {[do_enable $enauser $enapasswd]} { if { $do_command || $do_script } { incr exitval catch {close}; catch {wait}; continue } } } # we are logged in, now figure out the full prompt send "\r" expect { -re "\[\r\n]+" { exp_continue; } #rhys -re "^.+$prompt " { set prompt $expect_out(0,string); } -re "> " { set prompt $expect_out(0,string); } } if { $do_command } { if {[run_commands $prompt $command]} { incr exitval continue } } elseif { $do_script } { # disable the pager #rhys send "no page\r" expect -re $prompt {} source $sfile catch {close}; } else { label $router log_user 1 interact } # End of for each router catch {wait}; sleep 0.3 } exit $exitval ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ drancid #! /usr/bin/perl ## # RANCID - Really Awesome New Cisco confIg Differ # # usage: rancid [-dV] [-l] [-f filename | hostname] # use Getopt::Std; getopts('dflV'); if ($opt_V) { print "rancid 2.3.2a9\n"; exit(0); } $log = $opt_l; $debug = $opt_d; $file = $opt_f; $host = $ARGV[0]; $ios = "IOS"; $clean_run = 0; $found_end = 1; $found_version = 0; $found_env = 0; $found_diag = 0; $timeo = 30; # dlogin timeout in seconds #$prompt = '> '; my(@commandtable, %commands, @commands);# command lists my($aclsort) = ("ipsort"); # ACL sorting mode my($config_register); # configuration register value my($filter_commstr); # SNMP community string filtering my($filter_pwds); # password filtering mode # This routine is used to print out the router configuration sub ProcessHistory { my($new_hist_tag,$new_command,$command_string, at string) = (@_); if ((($new_hist_tag ne $hist_tag) || ($new_command ne $command)) && defined %history) { print eval "$command \%history"; undef %history; } if (($new_hist_tag) && ($new_command) && ($command_string)) { if ($history{$command_string}) { $history{$command_string} = "$history{$command_string}@string"; } else { $history{$command_string} = "@string"; } } elsif (($new_hist_tag) && ($new_command)) { $history{++$#history} = "@string"; } else { print "@string"; } $hist_tag = $new_hist_tag; $command = $new_command; 1; } sub numerically { $a <=> $b; } # This is a sort routine that will sort numerically on the # keys of a hash as if it were a normal array. sub keynsort { local(%lines) = @_; local($i) = 0; local(@sorted_lines); foreach $key (sort numerically keys(%lines)) { $sorted_lines[$i] = $lines{$key}; $i++; } @sorted_lines; } # This is a sort routine that will sort on the # keys of a hash as if it were a normal array. sub keysort { local(%lines) = @_; local($i) = 0; local(@sorted_lines); foreach $key (sort keys(%lines)) { $sorted_lines[$i] = $lines{$key}; $i++; } @sorted_lines; } # This is a sort routine that will sort on the # values of a hash as if it were a normal array. sub valsort{ local(%lines) = @_; local($i) = 0; local(@sorted_lines); foreach $key (sort values %lines) { $sorted_lines[$i] = $key; $i++; } @sorted_lines; } # This is a numerical sort routine (ascending). sub numsort { local(%lines) = @_; local($i) = 0; local(@sorted_lines); foreach $num (sort {$a <=> $b} keys %lines) { $sorted_lines[$i] = $lines{$num}; $i++; } @sorted_lines; } # This is a sort routine that will sort on the # ip address when the ip address is anywhere in # the strings. sub ipsort { local(%lines) = @_; local($i) = 0; local(@sorted_lines); foreach $addr (sort sortbyipaddr keys %lines) { $sorted_lines[$i] = $lines{$addr}; $i++; } @sorted_lines; } # These two routines will sort based upon IP addresses sub ipaddrval { my(@a) = ($_[0] =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)$#); $a[3] + 256 * ($a[2] + 256 * ($a[1] +256 * $a[0])); } sub sortbyipaddr { &ipaddrval($a) <=> &ipaddrval($b); } # This routine parses "sys version" sub SysVer1 { # skip if this is 7000, 7200, 7500, or 12000; else we end up with # redundant data from dir /all slot0: print STDERR " In SysVer1: $_"; #if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); return(1) if ($type =~ /^(12[40]|7)/); return(1) if /^\s*\^\s*$/; return(1) if /Line has invalid autocommand /; return(1) if /(Invalid input detected|Type help or )/; return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX if (/^(<-+ More -+>)/) { my($len) = length($1); s/^$1\s{$len}//; } /\s+(multiple-fs|nv_hdr|vlan\.dat)$/ && next; ProcessHistory("FLASH","","","!Flash: $_"); } ProcessHistory("","","","!\n"); return; } sub SysVer2 { print STDERR " In SysVer2: $_" if ($debug); while () { tr/\015//d; last if(/^$prompt/); next if /^\s*$/; #next if /Router Model/; #next if(/^(\s*|\s*$cmd\s*)$/); #return(1) if /^(upnp|radius)/; #return(1) if /^%/; #return(-1) if (/command authorization failed/i); ProcessHistory("VERSION","","","!SW: $_"); } ProcessHistory("VERSION","","","!\n"); return; } sub SysVer { print STDERR " In SysVer: $_" if ($debug); while () { tr/\015//d; last if(/^$prompt/); next if(/^(\s*|\s*$cmd\s*)$/); return(-1) if (/command authorization failed/i); ProcessHistory("COMMENTS","keysort","C0", "! $_") && next; } return(0); } # # dummy function sub DoNothing {print STDOUT;} # Main @commandtable = ( {'sys version' => 'SysVer'}, {'sys iface' => 'DoNothing'} #{'\?' => 'SysVer'} ); # Use an array to preserve the order of the commands and a hash for mapping # commands to the subroutine and track commands that have been completed. @commands = map(keys(%$_), @commandtable); %commands = map(%$_, @commandtable); $cisco_cmds = join(";", at commands); $cmds_regexp = join("|", at commands); if (length($host) == 0) { if ($file) { print(STDERR "Too few arguments: file name required\n"); exit(1); } else { print(STDERR "Too few arguments: host name required\n"); exit(1); } } open(OUTPUT,">$host.new") || die "Can't open $host.new for writing: $!\n"; select(OUTPUT); # make OUTPUT unbuffered if debugging if ($debug) { $| = 1; } if ($file) { print STDERR "opening file $host\n" if ($debug); print STDOUT "opening file $host\n" if ($log); open(INPUT,"<$host") || die "open failed for $host: $!\n"; } else { print STDERR "executing dlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug); print STDOUT "executing dlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log); if (defined($ENV{NOPIPE})) { system "dlogin -t $timeo -c \"$cisco_cmds\" $host $host.raw 2>&1" || die "dlogin failed for $host: $!\n"; open(INPUT, "< $host.raw") || die "dlogin failed for $host: $!\n"; } else { open(INPUT,"dlogin -t $timeo -c \"$cisco_cmds\" $host ) { tr/\015//d; # if (/[>#]\s?exit$/) { # if (/[>#]\s?quit$/) { # if (/^$prompt/) { if (/> s?quitConnection closed by foreign host\.$/){ $clean_run = 1; last; } if (/^Error:/) { print STDOUT ("$host dlogin error: $_"); print STDERR ("$host dlogin error: $_") if ($debug); $clean_run = 0; last; } while (/#\s*($cmds_regexp)\s*$/) { $cmd = $1; if (!defined($prompt)) { $prompt = ($_ =~ /^([^#]+#)/)[0]; $prompt =~ s/([][}{)(\\])/\\$1/g; print STDERR ("PROMPT MATCH: $prompt\n")if ($debug); } print STDERR ("HIT COMMAND:$_") if ($debug); if (! defined($commands{$cmd})) { print STDERR "$host: found unexpected command - \"$cmd\"\n"; $clean_run = 0; last TOP; } $rval = &{$commands{$cmd}}; delete($commands{$cmd}); if ($rval == -1) { $clean_run = 0; last TOP; } } } print STDOUT "Done $logincmd: $_\n" if ($log); print STDOUT "Clean Run = $clean_run \n" if ($log); print STDOUT "End Found = $found_end \n" if ($log); ###next 2 lines troubleshooting #$clean_run = 1; #$found_end = 1; # Flush History ProcessHistory("","","",""); # Cleanup close(INPUT); close(OUTPUT); if (defined($ENV{NOPIPE})) { unlink("$host.raw") if (! $debug); } # check for completeness if (scalar(%commands) || !$clean_run || !$found_end) { ###=debug if (scalar(%commands)) { printf(STDOUT "$host: missed cmd(s): %s\n", join(',', keys(%commands))); printf(STDERR "$host: missed cmd(s): %s\n", join(',', keys(%commands))) if ($debug); } if (!$clean_run || !$found_end) { print STDOUT "$host: End of run not found\n"; print STDERR "$host: End of run not found\n" if ($debug); system("/usr/bin/tail -1 $host.new"); } unlink "$host.new" if (! $debug); } +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- This message was scanned by Redclient and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090416/b27ca586/attachment.html From heas at shrubbery.net Thu Apr 16 18:15:19 2009 From: heas at shrubbery.net (john heasley) Date: Thu, 16 Apr 2009 18:15:19 +0000 Subject: [rancid] Re: Rancid New Router Type In-Reply-To: <6830B5350FF4CA408E0C89A7FA1EDF8B8A8E934F56@EXBE01.domain.local> References: <6830B5350FF4CA408E0C89A7FA1EDF8B8A8E934F56@EXBE01.domain.local> Message-ID: <20090416181519.GC25942@shrubbery.net> Thu, Apr 16, 2009 at 05:14:31PM +0100, Rhys Evans: > Hi > > I am relatively new to Rancid, and am looking for some help on adding a new router type. I have Rancid up and running for our Cisco and HP devices with no issues. Now back to the question. > > I would like to create a new device type for draytek (I know not great but we do have a few of them) routers . Please bear with me regarding my coding I'm not a programmer, I am also aware I have removed some of the checks etc. I will look at bring those in once I can get the config out putting fine. > > Now what I have managed to do is the following: > > > 1) Edited rancid-fe and added the line "'draytek' => 'drancid'," in the vendor table (This seems to be working fine) > > 2) Hacked the clogin script and renamed it to dlogin. This again seems to be working as it logs into the router and I can enter commands and see the expected output (see end for script) depending upon what these hacks are, if they are invasive, i suggest a separate script. > 3) I have now created drancid which is a hack of rancid. This is where I am having my issue (see end for script) > > a. Now when I run "dlogin -d -c 'sys version;sys iface' 79.14.24.56 > debugoutput 2>&1" I get the following output (which is what I am expecting) > > ++++++++++++++++++++++++++++++++++++++++ > dlogin -d -c 'sys version;sys iface' 79.14.24.56 > debugoutput 2>&1 > > 79.14.24.56 > Trying 79.14.24.56... > Connected to 79.14.24.56.rdns.as8401.net (79.14.24.56). > Escape character is '^]'. > > Password: ********** > > Type ? for command help > > > > > > > sys version > Router Model: Vigor3100 series Version: v2.7.1 English > Profile version: 0x2 Status: 1 (0xcd0a7a2) > Router IP: 192.168.2.1 Netmask: 255.255.255.0 > Firmware Build Date/Time: Wed Nov 29 16:32:4.45 2006 > Revision: 173 > ADSL Firmware Version: R308_1 Annex B > > > sys iface > Interface 0 Ethernet: > Status: UP > IP Address: 192.168.2.1 Netmask: 0xFFFFFF00 (Private) > IP Address: 79.14.24.56 Netmask: 0xFFFFFFF8 > MAC: 00-50-7F-B7-5C-C8 > Interface 3 PPPoE: > Status: UP > IP Address: 79.14.24.56 Netmask: 0xFFFFFFFF > MAC: 00-50-7F-B7-5C-C9 > > quitConnection closed by foreign host. > > ++++++++++++++++++++++++++++++++++++++++++ > > > b. The issue now comes in when I run "drancid -d 79.14.24.56". I don't get the output I expect. I get the following. I suspect this is something to do with the commands in the commandtable calling the subs, I could be totally wrong here. (By the way I'm not looking for formatting at the moment just looking for some output) > > ++++++++++++++++++++++++++++++++++++++++++ > drancid -d 79.14.24.56 > executing dlogin -t 30 -c"sys version;sys iface" 79.14.24.56 > 79.14.24.56: missed cmd(s): sys version,sys iface > 79.14.24.56: missed cmd(s): sys version,sys iface most likely it is not matching the prompt. see NOPIPE in rancid.conf(5) and rancid -df, which are handy testing knobs. From heas at shrubbery.net Thu Apr 16 18:24:01 2009 From: heas at shrubbery.net (john heasley) Date: Thu, 16 Apr 2009 18:24:01 +0000 Subject: [rancid] Re: Rancid with Fortigate Devices? In-Reply-To: References: Message-ID: <20090416182401.GE25942@shrubbery.net> Thu, Apr 16, 2009 at 11:38:45AM -0400, Mina Eskander: > Has anybody made progress with this? > I set up a new rancid server and did a fnrancid with the following output. > > [rancid at pwcolocacti ~]$ bin/fnrancid -d pwcolofgt100c > executing nlogin -t 90 -c"get system status;get conf" pwcolofgt100c > pwcolofgt100c nlogin error: Error: TIMEOUT reached > pwcolofgt100c nlogin error: Error: TIMEOUT reached > pwcolofgt100c: missed cmd(s): get conf,get system status > pwcolofgt100c: missed cmd(s): get conf,get system status > 0: found end > pwcolofgt100c: End of run not found > pwcolofgt100c: End of run not found > > not really sure if it's because of a regex problem or the commands or what, I would appreciate any help with this. first step should always be to make sure that the expect script is working. what does nlogin -t 90 -c"get system status;get conf" pwcolofgt100c o/p? > Network Security | Disaster Recovery | Business Continuity | IT Projects | Application Development what is 'business continuity'? From jethro.binks at strath.ac.uk Thu Apr 16 20:35:16 2009 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Thu, 16 Apr 2009 21:35:16 +0100 (BST) Subject: [rancid] Re: Rancid New Router Type In-Reply-To: <20090416181519.GC25942@shrubbery.net> References: <6830B5350FF4CA408E0C89A7FA1EDF8B8A8E934F56@EXBE01.domain.local> <20090416181519.GC25942@shrubbery.net> Message-ID: On Thu, 16 Apr 2009, john heasley wrote: > Thu, Apr 16, 2009 at 05:14:31PM +0100, Rhys Evans: > > 2) Hacked the clogin script and renamed it to dlogin. This again > > seems to be working as it logs into the router and I can enter > > commands and see the expected output (see end for script) > > depending upon what these hacks are, if they are invasive, i suggest a > separate script. John> he said he made a copy of clogin and rancid and modified them, what otherwise did you mean by "separate script"? Can I suggest in this case that somethings more precise than "drancid" etc are used: maybe drayrancid or even draytekrancid. There's bound to be another 'd' vendor come along sooner or later ... (The creep of these hacked versions of the scripts (several ones mentioned lately for different devices) is once again showing the strain on the original cisco-oriented design of rancid (or, conversely, maybe it just shows that there are too many vendors with too many cli-a-likes). The solutions are not straightforward, however :). > most likely it is not matching the prompt. see NOPIPE in rancid.conf(5) > and rancid -df, which are handy testing knobs. For convenience, I tend to run something like: env NOPIPE=y PATH=${PATH}:/usr/local/libexec/rancid rancid -d devicename to get the devicename.raw and .new files in the current directory. Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From jball at rgare.com Thu Apr 16 20:46:31 2009 From: jball at rgare.com (Ball, Jeff) Date: Thu, 16 Apr 2009 15:46:31 -0500 Subject: [rancid] Rancid-Run question and CVS Message-ID: <56A41EA5DB3CA748AD75EBDDE5D1F867042CEE66@stlpexc220.rgare.net> Hello - I had to rebuild a box that I inherited, and have installed and configured rancid for tracking changes to my netscreen firewalls. Everything is working, except that when I execute rancid-run, the versions are updated automagically. On my old box, I executed rancid-run, then CVS separately, and committed each change with comments. How do I keep rancid-run from doing the commit automatically, and allow me to update each config with CVS commit? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090416/9bf8c185/attachment.html From heas at shrubbery.net Thu Apr 16 21:03:20 2009 From: heas at shrubbery.net (john heasley) Date: Thu, 16 Apr 2009 21:03:20 +0000 Subject: [rancid] Re: Rancid-Run question and CVS In-Reply-To: <56A41EA5DB3CA748AD75EBDDE5D1F867042CEE66@stlpexc220.rgare.net> References: <56A41EA5DB3CA748AD75EBDDE5D1F867042CEE66@stlpexc220.rgare.net> Message-ID: <20090416210320.GR25942@shrubbery.net> Thu, Apr 16, 2009 at 03:46:31PM -0500, Ball, Jeff: > Hello - I had to rebuild a box that I inherited, and have installed and > configured rancid for tracking changes to my netscreen firewalls. > > Everything is working, except that when I execute rancid-run, the > versions are updated automagically. On my old box, I executed > rancid-run, then CVS separately, and committed each change with > comments. > > How do I keep rancid-run from doing the commit automatically, and allow > me to update each config with CVS commit? someone altered those scripts. there is no way to do that out of the box, except creating a rogue cvs executable that does nothing and pointing rancid-run's PATH at it. From rhys.evans at Redblade.co.uk Thu Apr 16 21:19:16 2009 From: rhys.evans at Redblade.co.uk (Rhys Evans) Date: Thu, 16 Apr 2009 22:19:16 +0100 Subject: [rancid] Re: Rancid New Router Type In-Reply-To: References: <6830B5350FF4CA408E0C89A7FA1EDF8B8A8E934F56@EXBE01.domain.local> <20090416181519.GC25942@shrubbery.net> Message-ID: <6830B5350FF4CA408E0C89A7FA1EDF8B8A8E934F57@EXBE01.domain.local> Hi Firstly thanks for the responses. I agree with some of the points raised mainly the naming of the files, I will look at doing this once I have this working. I have run the following command (output is shown below) env NOPIPE=y PATH=${PATH}:/usr/local/libexec/rancid drancid -d 79.14.24.56 Let me know what you think Thanks ++++++++++++++++++++++++++++++++++++ Screen [rancid at ran01 ~]$ env NOPIPE=y PATH=${PATH}:/usr/local/libexec/rancid drancid -d 79.14.24.56 executing dlogin -t 30 -c"sys version;sys iface" 79.14.24.56 79.14.24.56: missed cmd(s): sys version,sys iface 79.14.24.56: missed cmd(s): sys version,sys iface [rancid at ran01 ~]$ +++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++ 79.14.24.56.raw 79.14.24.56 spawn telnet 79.14.24.56 Trying 79.14.24.56... Connected to 79.14.24.56 (79.14.24.56). Escape character is '^]'. Password: ********** Type ? for command help > > > sys version Router Model: Vigor3100 series Version: v2.7.1 English Profile version: 0x2 Status: 1 (0xcd0a7a2) Router IP: 192.168.2.1 Netmask: 255.255.255.0 Firmware Build Date/Time: Wed Nov 29 16:32:4.45 2006 Revision: 173 ADSL Firmware Version: R308_1 Annex B > sys iface Interface 0 Ethernet: Status: UP IP Address: 192.168.2.1 Netmask: 0xFFFFFF00 (Private) IP Address: 79.14.24.56 Netmask: 0xFFFFFFF8 MAC: 00-50-7F-B7-5C-C8 Interface 3 PPPoE: Status: UP IP Address: 78.141.28.17 Netmask: 0xFFFFFFFF MAC: 00-50-7F-B7-5C-C9 > quitConnection closed by foreign host. ++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++ 79.14.24.56.new !RANCID-CONTENT-TYPE: draytek ! ! ! ! ! +++++++++++++++++++++++++++++++++++++ -- This message was scanned by Redclient and is believed to be clean. From heas at shrubbery.net Thu Apr 16 21:42:34 2009 From: heas at shrubbery.net (john heasley) Date: Thu, 16 Apr 2009 21:42:34 +0000 Subject: [rancid] Re: Rancid New Router Type In-Reply-To: <6830B5350FF4CA408E0C89A7FA1EDF8B8A8E934F57@EXBE01.domain.local> References: <6830B5350FF4CA408E0C89A7FA1EDF8B8A8E934F56@EXBE01.domain.local> <20090416181519.GC25942@shrubbery.net> <6830B5350FF4CA408E0C89A7FA1EDF8B8A8E934F57@EXBE01.domain.local> Message-ID: <20090416214234.GV25942@shrubbery.net> Thu, Apr 16, 2009 at 10:19:16PM +0100, Rhys Evans: > Hi > > Firstly thanks for the responses. I agree with some of the points raised mainly the naming of the files, I will look at doing this once > I have this working. I have run the following command (output is shown below) > > env NOPIPE=y PATH=${PATH}:/usr/local/libexec/rancid drancid -d 79.14.24.56 > > Let me know what you think > > Thanks > > ++++++++++++++++++++++++++++++++++++ > Screen > > [rancid at ran01 ~]$ env NOPIPE=y PATH=${PATH}:/usr/local/libexec/rancid drancid -d 79.14.24.56 > executing dlogin -t 30 -c"sys version;sys iface" 79.14.24.56 > 79.14.24.56: missed cmd(s): sys version,sys iface > 79.14.24.56: missed cmd(s): sys version,sys iface > [rancid at ran01 ~]$ > > +++++++++++++++++++++++++++++++++++++ > > ++++++++++++++++++++++++++++++++++++ > 79.14.24.56.raw > > 79.14.24.56 > spawn telnet 79.14.24.56 > Trying 79.14.24.56... > Connected to 79.14.24.56 (79.14.24.56). > Escape character is '^]'. > > > Password: ********** > > Type ? for command help > > > > > > > sys version > Router Model: Vigor3100 series Version: v2.7.1 English > Profile version: 0x2 Status: 1 (0xcd0a7a2) > Router IP: 192.168.2.1 Netmask: 255.255.255.0 > Firmware Build Date/Time: Wed Nov 29 16:32:4.45 2006 > Revision: 173 > ADSL Firmware Version: R308_1 Annex B > > > sys iface > Interface 0 Ethernet: > Status: UP > IP Address: 192.168.2.1 Netmask: 0xFFFFFF00 (Private) > IP Address: 79.14.24.56 Netmask: 0xFFFFFFF8 > MAC: 00-50-7F-B7-5C-C8 > Interface 3 PPPoE: > Status: UP > IP Address: 78.141.28.17 Netmask: 0xFFFFFFFF > MAC: 00-50-7F-B7-5C-C9 > > quitConnection closed by foreign host. > > ++++++++++++++++++++++++++++++++++++ > > ++++++++++++++++++++++++++++++++++++ > 79.14.24.56.new > > !RANCID-CONTENT-TYPE: draytek > ! > ! > ! > ! > ! > > +++++++++++++++++++++++++++++++++++++ its missing the prompt. i'd expect something like % *rancid -d ... blahblah PROMPT MATCH: prompt HIT COMMAND:prompt command ... From peter.serwe at gmail.com Thu Apr 16 21:20:42 2009 From: peter.serwe at gmail.com (Peter Serwe) Date: Thu, 16 Apr 2009 14:20:42 -0700 Subject: [rancid] Fwd: Re: Rancid-Run question and CVS In-Reply-To: References: <56A41EA5DB3CA748AD75EBDDE5D1F867042CEE66@stlpexc220.rgare.net> <20090416210320.GR25942@shrubbery.net> Message-ID: Apparently I haven't been sending my replies to the list, duhhh. Peter ---------- Forwarded message ---------- From: Peter Serwe Date: 2009/4/16 Subject: Re: [rancid] Re: Rancid-Run question and CVS To: john heasley On Thu, Apr 16, 2009 at 2:03 PM, john heasley wrote: > Thu, Apr 16, 2009 at 03:46:31PM -0500, Ball, Jeff: >> Hello - I had to rebuild a box that I inherited, and have installed and >> configured rancid for tracking changes to my netscreen firewalls. >> >> Everything is working, except that when I execute rancid-run, the >> versions are updated automagically. On my old box, I executed >> rancid-run, then CVS separately, and committed each change with >> comments. >> >> How do I keep rancid-run from doing the commit automatically, and allow >> me to update each config with CVS commit? > > someone altered those scripts. there is no way to do that out of the > box, except creating a rogue cvs executable that does nothing and > pointing rancid-run's PATH at it. I would completely be the guy to ask the potentially silly question of why you wouldn't want to increment the repo every time rancid detects a change? I would personally, (and there for would think you would) want to capture every single revision. Peter -- ???? From heas at shrubbery.net Thu Apr 16 22:29:07 2009 From: heas at shrubbery.net (john heasley) Date: Thu, 16 Apr 2009 22:29:07 +0000 Subject: [rancid] F5 ("bigip") script Message-ID: <20090416222907.GZ25942@shrubbery.net> I don't have a F5 box, but had put together a script while someone had provided remote access, but hadn't finished testing it. Would someone with one an F5 download ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a10.tar.gz and test it, please. From mgaysek at gmail.com Fri Apr 17 12:48:40 2009 From: mgaysek at gmail.com (marcus gaysek) Date: Fri, 17 Apr 2009 08:48:40 -0400 Subject: [rancid] Re: F5 ("bigip") script In-Reply-To: <20090416222907.GZ25942@shrubbery.net> References: <20090416222907.GZ25942@shrubbery.net> Message-ID: I may be able to test this for you in our Dev environment, sometime in the next few days. There are f5 scripts already in place, does you script perform anything different than the current ones? On Thu, Apr 16, 2009 at 6:29 PM, john heasley wrote: > I don't have a F5 box, but had put together a script while someone had > provided remote access, but hadn't finished testing it. Would someone > with one an F5 download > ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a10.tar.gz > and test it, please. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090417/64615591/attachment.html From heas at shrubbery.net Fri Apr 17 19:58:59 2009 From: heas at shrubbery.net (john heasley) Date: Fri, 17 Apr 2009 19:58:59 +0000 Subject: [rancid] Re: F5 ("bigip") script In-Reply-To: References: <20090416222907.GZ25942@shrubbery.net> Message-ID: <20090417195859.GA1994@shrubbery.net> Fri, Apr 17, 2009 at 08:48:40AM -0400, marcus gaysek: > I may be able to test this for you in our Dev environment, sometime in the > next few days. > > There are f5 scripts already in place, does you script perform anything > different than the current ones? IIRC, it largely the same as the one in 2.3.2a9, whose makefile did not install the script. > On Thu, Apr 16, 2009 at 6:29 PM, john heasley wrote: > > > I don't have a F5 box, but had put together a script while someone had > > provided remote access, but hadn't finished testing it. Would someone > > with one an F5 download > > ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a10.tar.gz > > and test it, please. > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > From mgaysek at gmail.com Fri Apr 17 20:56:10 2009 From: mgaysek at gmail.com (marcus gaysek) Date: Fri, 17 Apr 2009 16:56:10 -0400 Subject: [rancid] Re: F5 ("bigip") script In-Reply-To: <20090417195859.GA1994@shrubbery.net> References: <20090416222907.GZ25942@shrubbery.net> <20090417195859.GA1994@shrubbery.net> Message-ID: Just a quick note. The install went smooth and the rancid-run ran fine. I took a quick look at the config saved and I think I like what I see. I will provide a better update on Monday or Tuesday. On Fri, Apr 17, 2009 at 3:58 PM, john heasley wrote: > Fri, Apr 17, 2009 at 08:48:40AM -0400, marcus gaysek: > > I may be able to test this for you in our Dev environment, sometime in > the > > next few days. > > > > There are f5 scripts already in place, does you script perform anything > > different than the current ones? > > IIRC, it largely the same as the one in 2.3.2a9, whose makefile did not > install the script. > > > On Thu, Apr 16, 2009 at 6:29 PM, john heasley > wrote: > > > > > I don't have a F5 box, but had put together a script while someone had > > > provided remote access, but hadn't finished testing it. Would someone > > > with one an F5 download > > > ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a10.tar.gz > > > and test it, please. > > > _______________________________________________ > > > Rancid-discuss mailing list > > > Rancid-discuss at shrubbery.net > > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090417/d5cbecee/attachment.html From teun at moonblade.net Mon Apr 20 13:27:37 2009 From: teun at moonblade.net (Teun Vink) Date: Mon, 20 Apr 2009 15:27:37 +0200 Subject: [rancid] Re: F5 ("bigip") script In-Reply-To: <20090416222907.GZ25942@shrubbery.net> References: <20090416222907.GZ25942@shrubbery.net> Message-ID: <1240234057.11944.39.camel@moridin.office.bit.nl.office.bit.nl> On Thu, 2009-04-16 at 22:29 +0000, john heasley wrote: > I don't have a F5 box, but had put together a script while someone had > provided remote access, but hadn't finished testing it. Would someone > with one an F5 download > ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a10.tar.gz > and test it, please. Just did a quick test, it works fine for me. I had some issues with the previous version which seemed to have some ordering issues in the output, which resulted in false diffs every single run. I don't see them in this version, so I'm happy :) regards, Teun From meskander at perimeterwatch.com Mon Apr 20 13:32:58 2009 From: meskander at perimeterwatch.com (Mina Eskander) Date: Mon, 20 Apr 2009 09:32:58 -0400 Subject: [rancid] Re: Rancid with Fortigate Devices? In-Reply-To: <20090416182401.GE25942@shrubbery.net> References: <20090416182401.GE25942@shrubbery.net> Message-ID: I ran the commanded and here is the output: [rancid at pwcolocacti ~]$ nlogin -t 90 -c"get system status;get conf" pwcolofgt100c pwcolofgt100c spawn ssh -c 3des -x -l meskander pwcolofgt100c meskander at pwcolofgt100c's password: FGT100C3G0860259~ $ Error: TIMEOUT reached I think ive seen this before, it looks like rancid does not recognize the prompt, what do you think? -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Thursday, April 16, 2009 2:24 PM To: Mina Eskander Cc: rancid-discuss at shrubbery.net Subject: Re: [rancid] Re: Rancid with Fortigate Devices? Thu, Apr 16, 2009 at 11:38:45AM -0400, Mina Eskander: > Has anybody made progress with this? > I set up a new rancid server and did a fnrancid with the following output. > > [rancid at pwcolocacti ~]$ bin/fnrancid -d pwcolofgt100c > executing nlogin -t 90 -c"get system status;get conf" pwcolofgt100c > pwcolofgt100c nlogin error: Error: TIMEOUT reached > pwcolofgt100c nlogin error: Error: TIMEOUT reached > pwcolofgt100c: missed cmd(s): get conf,get system status > pwcolofgt100c: missed cmd(s): get conf,get system status > 0: found end > pwcolofgt100c: End of run not found > pwcolofgt100c: End of run not found > > not really sure if it's because of a regex problem or the commands or what, I would appreciate any help with this. first step should always be to make sure that the expect script is working. what does nlogin -t 90 -c"get system status;get conf" pwcolofgt100c o/p? > Network Security | Disaster Recovery | Business Continuity | IT Projects | Application Development what is 'business continuity'? From heas at shrubbery.net Mon Apr 20 16:25:09 2009 From: heas at shrubbery.net (john heasley) Date: Mon, 20 Apr 2009 16:25:09 +0000 Subject: [rancid] Re: Rancid with Fortigate Devices? In-Reply-To: References: <20090416182401.GE25942@shrubbery.net> Message-ID: <20090420162509.GB21045@shrubbery.net> Mon, Apr 20, 2009 at 09:32:58AM -0400, Mina Eskander: > > I ran the commanded and here is the output: > > [rancid at pwcolocacti ~]$ nlogin -t 90 -c"get system status;get conf" pwcolofgt100c > pwcolofgt100c > spawn ssh -c 3des -x -l meskander pwcolofgt100c > meskander at pwcolofgt100c's password: > FGT100C3G0860259~ $ > Error: TIMEOUT reached > > I think ive seen this before, it looks like rancid does not recognize the prompt, what do you think? probably. try it with the -d option > -----Original Message----- > From: john heasley [mailto:heas at shrubbery.net] > Sent: Thursday, April 16, 2009 2:24 PM > To: Mina Eskander > Cc: rancid-discuss at shrubbery.net > Subject: Re: [rancid] Re: Rancid with Fortigate Devices? > > Thu, Apr 16, 2009 at 11:38:45AM -0400, Mina Eskander: > > Has anybody made progress with this? > > I set up a new rancid server and did a fnrancid with the following output. > > > > [rancid at pwcolocacti ~]$ bin/fnrancid -d pwcolofgt100c > > executing nlogin -t 90 -c"get system status;get conf" pwcolofgt100c > > pwcolofgt100c nlogin error: Error: TIMEOUT reached > > pwcolofgt100c nlogin error: Error: TIMEOUT reached > > pwcolofgt100c: missed cmd(s): get conf,get system status > > pwcolofgt100c: missed cmd(s): get conf,get system status > > 0: found end > > pwcolofgt100c: End of run not found > > pwcolofgt100c: End of run not found > > > > not really sure if it's because of a regex problem or the commands or what, I would appreciate any help with this. > > first step should always be to make sure that the expect script is working. > what does > nlogin -t 90 -c"get system status;get conf" pwcolofgt100c > o/p? > > > Network Security | Disaster Recovery | Business Continuity | IT Projects | Application Development > > what is 'business continuity'? From heas at shrubbery.net Mon Apr 20 17:28:40 2009 From: heas at shrubbery.net (john heasley) Date: Mon, 20 Apr 2009 17:28:40 +0000 Subject: [rancid] Re: F5 ("bigip") script In-Reply-To: References: <20090416222907.GZ25942@shrubbery.net> <1240234057.11944.39.camel@moridin.office.bit.nl.office.bit.nl> Message-ID: <20090420172840.GM21045@shrubbery.net> Mon, Apr 20, 2009 at 12:34:18PM -0400, marcus gaysek: > I have tested with a couple of Cisco devices, including an ASA and I am not > seeing the formatting issues I have seen in the past. thats probably luck. > The LTM config looks great. The only thing that I can see that needs to be what is 'LTM'? > manually downloaded are the certs. All in all this seems to be a great > improvemant. Thanks for making it work. The certs are in the configuration? is there a command or option to get them? > On Mon, Apr 20, 2009 at 9:27 AM, Teun Vink wrote: > > > On Thu, 2009-04-16 at 22:29 +0000, john heasley wrote: > > > I don't have a F5 box, but had put together a script while someone had > > > provided remote access, but hadn't finished testing it. Would someone > > > with one an F5 download > > > ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a10.tar.gz > > > and test it, please. > > > > Just did a quick test, it works fine for me. I had some issues with the > > previous version which seemed to have some ordering issues in the > > output, which resulted in false diffs every single run. I don't see them > > in this version, so I'm happy :) > > > > regards, > > Teun > > > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > From mgaysek at gmail.com Mon Apr 20 16:34:18 2009 From: mgaysek at gmail.com (marcus gaysek) Date: Mon, 20 Apr 2009 12:34:18 -0400 Subject: [rancid] Re: F5 ("bigip") script In-Reply-To: <1240234057.11944.39.camel@moridin.office.bit.nl.office.bit.nl> References: <20090416222907.GZ25942@shrubbery.net> <1240234057.11944.39.camel@moridin.office.bit.nl.office.bit.nl> Message-ID: I have tested with a couple of Cisco devices, including an ASA and I am not seeing the formatting issues I have seen in the past. The LTM config looks great. The only thing that I can see that needs to be manually downloaded are the certs. All in all this seems to be a great improvemant. Thanks for making it work. On Mon, Apr 20, 2009 at 9:27 AM, Teun Vink wrote: > On Thu, 2009-04-16 at 22:29 +0000, john heasley wrote: > > I don't have a F5 box, but had put together a script while someone had > > provided remote access, but hadn't finished testing it. Would someone > > with one an F5 download > > ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a10.tar.gz > > and test it, please. > > Just did a quick test, it works fine for me. I had some issues with the > previous version which seemed to have some ordering issues in the > output, which resulted in false diffs every single run. I don't see them > in this version, so I'm happy :) > > regards, > Teun > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090420/b600b904/attachment.html From mashcraft at omniture.com Mon Apr 20 17:37:33 2009 From: mashcraft at omniture.com (Mike Ashcraft) Date: Mon, 20 Apr 2009 11:37:33 -0600 Subject: [rancid] Re: F5 ("bigip") script In-Reply-To: <20090420172840.GM21045@shrubbery.net> References: <20090416222907.GZ25942@shrubbery.net> <1240234057.11944.39.camel@moridin.office.bit.nl.office.bit.nl> <20090420172840.GM21045@shrubbery.net> Message-ID: <370BD08812250148A3EC9CFC41A6D60101A65B15CC@EXCHANGE1.orm.omniture.com> LTM = Local Traffic Manager = F5 Big-IP Thanks -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of john heasley Sent: Monday, April 20, 2009 11:29 AM To: marcus gaysek Cc: rancid-discuss at shrubbery.net Subject: [rancid] Re: F5 ("bigip") script Mon, Apr 20, 2009 at 12:34:18PM -0400, marcus gaysek: > I have tested with a couple of Cisco devices, including an ASA and I am not > seeing the formatting issues I have seen in the past. thats probably luck. > The LTM config looks great. The only thing that I can see that needs to be what is 'LTM'? > manually downloaded are the certs. All in all this seems to be a great > improvemant. Thanks for making it work. The certs are in the configuration? is there a command or option to get them? > On Mon, Apr 20, 2009 at 9:27 AM, Teun Vink wrote: > > > On Thu, 2009-04-16 at 22:29 +0000, john heasley wrote: > > > I don't have a F5 box, but had put together a script while someone had > > > provided remote access, but hadn't finished testing it. Would someone > > > with one an F5 download > > > ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a10.tar.gz > > > and test it, please. > > > > Just did a quick test, it works fine for me. I had some issues with the > > previous version which seemed to have some ordering issues in the > > output, which resulted in false diffs every single run. I don't see them > > in this version, so I'm happy :) > > > > regards, > > Teun > > > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From meskander at perimeterwatch.com Mon Apr 20 17:39:35 2009 From: meskander at perimeterwatch.com (Mina Eskander) Date: Mon, 20 Apr 2009 13:39:35 -0400 Subject: [rancid] Re: Rancid with Fortigate Devices? In-Reply-To: <20090420162509.GB21045@shrubbery.net> References: <20090416182401.GE25942@shrubbery.net> <20090420162509.GB21045@shrubbery.net> Message-ID: [rancid at pwcolocacti ~]$ nlogin -d -t 90 -c"get system status;get conf" pwcolofgt100c pwcolofgt100c spawn ssh -c 3des -x -l meskander pwcolofgt100c parent: waiting for sync byte parent: telling child to go ahead parent: now unsynchronized from child spawn: returns {6199} expect: does "" (spawn_id exp6) match glob pattern "Connection refused"? no "Unknown host\r\n"? no "Host is unreachable"? no "No address associated with name"? no "Are you sure you want to continue connecting .*"? no "Host key not found .* (yes/no)?"? no "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no "Offending key for .* (yes/no)?"? no "denied"? no " ### Login failed"? no "(login:)"? no "@[^\r\n]+[Pp]assword:"? no "[Pp]assword:"? no "-> "? no meskander at pwcolofgt100c's password: expect: does "meskander at pwcolofgt100c's password: " (spawn_id exp6) match glob pattern "Connection refused"? no "Unknown host\r\n"? no "Host is unreachable"? no "No address associated with name"? no "Are you sure you want to continue connecting .*"? no "Host key not found .* (yes/no)?"? no "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no "Offending key for .* (yes/no)?"? no "denied"? no " ### Login failed"? no "(login:)"? no "@[^\r\n]+[Pp]assword:"? yes expect: set expect_out(0,string) "@pwcolofgt100c's password:" expect: set expect_out(spawn_id) "exp6" expect: set expect_out(buffer) "meskander at pwcolofgt100c's password:" send: sending "G0ds at v3s\r" to { exp6 } expect: continuing expect expect: does " " (spawn_id exp6) match glob pattern "Connection refused"? no "Unknown host\r\n"? no "Host is unreachable"? no "No address associated with name"? no "Are you sure you want to continue connecting .*"? no "Host key not found .* (yes/no)?"? no "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no "Offending key for .* (yes/no)?"? no "denied"? no " ### Login failed"? no "(login:)"? no "@[^\r\n]+[Pp]assword:"? no "[Pp]assword:"? no "-> "? no expect: does " \r\n" (spawn_id exp6) match glob pattern "Connection refused"? no "Unknown host\r\n"? no "Host is unreachable"? no "No address associated with name"? no "Are you sure you want to continue connecting .*"? no "Host key not found .* (yes/no)?"? no "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no "Offending key for .* (yes/no)?"? no "denied"? no " ### Login failed"? no "(login:)"? no "@[^\r\n]+[Pp]assword:"? no "[Pp]assword:"? no "-> "? no FGT100C3G0860259~ $ expect: does " \r\nFGT100C3G0860259~ $ " (spawn_id exp6) match glob pattern "Connection refused"? no "Unknown host\r\n"? no "Host is unreachable"? no "No address associated with name"? no "Are you sure you want to continue connecting .*"? no "Host key not found .* (yes/no)?"? no "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no "Offending key for .* (yes/no)?"? no "denied"? no " ### Login failed"? no "(login:)"? no "@[^\r\n]+[Pp]assword:"? no "[Pp]assword:"? no "-> "? no expect: timed out Error: TIMEOUT reached write() failed to write anything - will sleep(1) and retry... [rancid at pwcolocacti ~]$ Mina Eskander Perimeterwatch Technologies Direct: +1 (347) 448-2845 Mobile: +1 (347) 510-4102 meskander at perimeterwatch.com Network Security | Disaster Recovery | Business Continuity | IT Projects | Application Development _____________________________________________________________________ New York: (347) 448-2845 - 34-12 36th Street - 2nd Floor - Astoria, NY 11106 -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Monday, April 20, 2009 12:25 PM To: Mina Eskander Cc: john heasley; rancid-discuss at shrubbery.net Subject: Re: [rancid] Re: Rancid with Fortigate Devices? Mon, Apr 20, 2009 at 09:32:58AM -0400, Mina Eskander: > > I ran the commanded and here is the output: > > [rancid at pwcolocacti ~]$ nlogin -t 90 -c"get system status;get conf" pwcolofgt100c > pwcolofgt100c > spawn ssh -c 3des -x -l meskander pwcolofgt100c > meskander at pwcolofgt100c's password: > FGT100C3G0860259~ $ > Error: TIMEOUT reached > > I think ive seen this before, it looks like rancid does not recognize the prompt, what do you think? probably. try it with the -d option > -----Original Message----- > From: john heasley [mailto:heas at shrubbery.net] > Sent: Thursday, April 16, 2009 2:24 PM > To: Mina Eskander > Cc: rancid-discuss at shrubbery.net > Subject: Re: [rancid] Re: Rancid with Fortigate Devices? > > Thu, Apr 16, 2009 at 11:38:45AM -0400, Mina Eskander: > > Has anybody made progress with this? > > I set up a new rancid server and did a fnrancid with the following output. > > > > [rancid at pwcolocacti ~]$ bin/fnrancid -d pwcolofgt100c > > executing nlogin -t 90 -c"get system status;get conf" pwcolofgt100c > > pwcolofgt100c nlogin error: Error: TIMEOUT reached > > pwcolofgt100c nlogin error: Error: TIMEOUT reached > > pwcolofgt100c: missed cmd(s): get conf,get system status > > pwcolofgt100c: missed cmd(s): get conf,get system status > > 0: found end > > pwcolofgt100c: End of run not found > > pwcolofgt100c: End of run not found > > > > not really sure if it's because of a regex problem or the commands or what, I would appreciate any help with this. > > first step should always be to make sure that the expect script is working. > what does > nlogin -t 90 -c"get system status;get conf" pwcolofgt100c > o/p? > > > Network Security | Disaster Recovery | Business Continuity | IT Projects | Application Development > > what is 'business continuity'? From heas at shrubbery.net Mon Apr 20 17:45:51 2009 From: heas at shrubbery.net (john heasley) Date: Mon, 20 Apr 2009 17:45:51 +0000 Subject: [rancid] Re: Rancid with Fortigate Devices? In-Reply-To: References: <20090416182401.GE25942@shrubbery.net> <20090420162509.GB21045@shrubbery.net> Message-ID: <20090420174551.GO21045@shrubbery.net> yep, your prompt is nFGT100C3G0860259~ $ but the script expects -> From mgaysek at gmail.com Mon Apr 20 18:08:25 2009 From: mgaysek at gmail.com (marcus gaysek) Date: Mon, 20 Apr 2009 14:08:25 -0400 Subject: [rancid] Re: F5 ("bigip") script In-Reply-To: <370BD08812250148A3EC9CFC41A6D60101A65B15CC@EXCHANGE1.orm.omniture.com> References: <20090416222907.GZ25942@shrubbery.net> <1240234057.11944.39.camel@moridin.office.bit.nl.office.bit.nl> <20090420172840.GM21045@shrubbery.net> <370BD08812250148A3EC9CFC41A6D60101A65B15CC@EXCHANGE1.orm.omniture.com> Message-ID: The certs are located in in the config/ssl/ sub-directories, which would need to be download'd. I would think that functionality would be outside of Rancid, but if you lost your LTM you would need them to rebuild a new one. You capture their names as part of the config. They are listed in the last few lines. There is a command in the BigIP devices (GTMs and LTMs) that captures all the files and compresses them in a .ucs file. Once they are created they can be downloaded and used to restore a BigIP. On Mon, Apr 20, 2009 at 1:37 PM, Mike Ashcraft wrote: > LTM = Local Traffic Manager = F5 Big-IP > > Thanks > > -----Original Message----- > From: rancid-discuss-bounces at shrubbery.net [mailto: > rancid-discuss-bounces at shrubbery.net] On Behalf Of john heasley > Sent: Monday, April 20, 2009 11:29 AM > To: marcus gaysek > Cc: rancid-discuss at shrubbery.net > Subject: [rancid] Re: F5 ("bigip") script > > Mon, Apr 20, 2009 at 12:34:18PM -0400, marcus gaysek: > > I have tested with a couple of Cisco devices, including an ASA and I am > not > > seeing the formatting issues I have seen in the past. > > thats probably luck. > > > The LTM config looks great. The only thing that I can see that needs to > be > > what is 'LTM'? > > > manually downloaded are the certs. All in all this seems to be a great > > improvemant. Thanks for making it work. > > The certs are in the configuration? is there a command or option to get > them? > > > On Mon, Apr 20, 2009 at 9:27 AM, Teun Vink wrote: > > > > > On Thu, 2009-04-16 at 22:29 +0000, john heasley wrote: > > > > I don't have a F5 box, but had put together a script while someone > had > > > > provided remote access, but hadn't finished testing it. Would > someone > > > > with one an F5 download > > > > ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a10.tar.gz > > > > and test it, please. > > > > > > Just did a quick test, it works fine for me. I had some issues with the > > > previous version which seemed to have some ordering issues in the > > > output, which resulted in false diffs every single run. I don't see > them > > > in this version, so I'm happy :) > > > > > > regards, > > > Teun > > > > > > _______________________________________________ > > > Rancid-discuss mailing list > > > Rancid-discuss at shrubbery.net > > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090420/f531f68e/attachment.html From heas at shrubbery.net Mon Apr 20 18:37:10 2009 From: heas at shrubbery.net (john heasley) Date: Mon, 20 Apr 2009 18:37:10 +0000 Subject: [rancid] Re: F5 ("bigip") script In-Reply-To: References: <20090416222907.GZ25942@shrubbery.net> <1240234057.11944.39.camel@moridin.office.bit.nl.office.bit.nl> <20090420172840.GM21045@shrubbery.net> <370BD08812250148A3EC9CFC41A6D60101A65B15CC@EXCHANGE1.orm.omniture.com> Message-ID: <20090420183710.GT21045@shrubbery.net> Mon, Apr 20, 2009 at 02:08:25PM -0400, marcus gaysek: > The certs are located in in the config/ssl/ sub-directories, which would > need to be download'd. I would think that functionality would be outside of > Rancid, but if you lost your LTM you would need them to rebuild a new one. > You capture their names as part of the config. They are listed in the last > few lines. if they're always these files {'ls --full-time --color=never /config/ssl/ssl.crt' => 'ShowSslCrt'}, {'ls --full-time --color=never /config/ssl/ssl.key' => 'ShowSslKey'}, is there a "cat" or "more" command? Their contents should be ascii. > There is a command in the BigIP devices (GTMs and LTMs) that captures all > the files and compresses them in a .ucs file. Once they are created they > can be downloaded and used to restore a BigIP. > > On Mon, Apr 20, 2009 at 1:37 PM, Mike Ashcraft wrote: > > > LTM = Local Traffic Manager = F5 Big-IP > > > > Thanks > > > > -----Original Message----- > > From: rancid-discuss-bounces at shrubbery.net [mailto: > > rancid-discuss-bounces at shrubbery.net] On Behalf Of john heasley > > Sent: Monday, April 20, 2009 11:29 AM > > To: marcus gaysek > > Cc: rancid-discuss at shrubbery.net > > Subject: [rancid] Re: F5 ("bigip") script > > > > Mon, Apr 20, 2009 at 12:34:18PM -0400, marcus gaysek: > > > I have tested with a couple of Cisco devices, including an ASA and I am > > not > > > seeing the formatting issues I have seen in the past. > > > > thats probably luck. > > > > > The LTM config looks great. The only thing that I can see that needs to > > be > > > > what is 'LTM'? > > > > > manually downloaded are the certs. All in all this seems to be a great > > > improvemant. Thanks for making it work. > > > > The certs are in the configuration? is there a command or option to get > > them? > > > > > On Mon, Apr 20, 2009 at 9:27 AM, Teun Vink wrote: > > > > > > > On Thu, 2009-04-16 at 22:29 +0000, john heasley wrote: > > > > > I don't have a F5 box, but had put together a script while someone > > had > > > > > provided remote access, but hadn't finished testing it. Would > > someone > > > > > with one an F5 download > > > > > ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a10.tar.gz > > > > > and test it, please. > > > > > > > > Just did a quick test, it works fine for me. I had some issues with the > > > > previous version which seemed to have some ordering issues in the > > > > output, which resulted in false diffs every single run. I don't see > > them > > > > in this version, so I'm happy :) > > > > > > > > regards, > > > > Teun > > > > > > > > _______________________________________________ > > > > Rancid-discuss mailing list > > > > Rancid-discuss at shrubbery.net > > > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > From mgaysek at gmail.com Mon Apr 20 18:48:41 2009 From: mgaysek at gmail.com (marcus gaysek) Date: Mon, 20 Apr 2009 14:48:41 -0400 Subject: [rancid] Re: F5 ("bigip") script In-Reply-To: <20090420183710.GT21045@shrubbery.net> References: <20090416222907.GZ25942@shrubbery.net> <1240234057.11944.39.camel@moridin.office.bit.nl.office.bit.nl> <20090420172840.GM21045@shrubbery.net> <370BD08812250148A3EC9CFC41A6D60101A65B15CC@EXCHANGE1.orm.omniture.com> <20090420183710.GT21045@shrubbery.net> Message-ID: Those are actually directories. The name of the certs are always different. Both cat and more are available (BigIPs are linux/bsd based). I believe all the files below ssl directory are required, excluding ca-bundle.crt. The amount of files depends on how many certs are installed on the device. There are four directories: ssl.crl ssl.crt ssl.csr ssl.key On Mon, Apr 20, 2009 at 2:37 PM, john heasley wrote: > Mon, Apr 20, 2009 at 02:08:25PM -0400, marcus gaysek: > > The certs are located in in the config/ssl/ sub-directories, which would > > need to be download'd. I would think that functionality would be outside > of > > Rancid, but if you lost your LTM you would need them to rebuild a new > one. > > You capture their names as part of the config. They are listed in the > last > > few lines. > > if they're always these files > {'ls --full-time --color=never /config/ssl/ssl.crt' => > 'ShowSslCrt'}, > {'ls --full-time --color=never /config/ssl/ssl.key' => > 'ShowSslKey'}, > is there a "cat" or "more" command? Their contents should be ascii. > > > There is a command in the BigIP devices (GTMs and LTMs) that captures all > > the files and compresses them in a .ucs file. Once they are created they > > can be downloaded and used to restore a BigIP. > > > > On Mon, Apr 20, 2009 at 1:37 PM, Mike Ashcraft >wrote: > > > > > LTM = Local Traffic Manager = F5 Big-IP > > > > > > Thanks > > > > > > -----Original Message----- > > > From: rancid-discuss-bounces at shrubbery.net [mailto: > > > rancid-discuss-bounces at shrubbery.net] On Behalf Of john heasley > > > Sent: Monday, April 20, 2009 11:29 AM > > > To: marcus gaysek > > > Cc: rancid-discuss at shrubbery.net > > > Subject: [rancid] Re: F5 ("bigip") script > > > > > > Mon, Apr 20, 2009 at 12:34:18PM -0400, marcus gaysek: > > > > I have tested with a couple of Cisco devices, including an ASA and I > am > > > not > > > > seeing the formatting issues I have seen in the past. > > > > > > thats probably luck. > > > > > > > The LTM config looks great. The only thing that I can see that needs > to > > > be > > > > > > what is 'LTM'? > > > > > > > manually downloaded are the certs. All in all this seems to be a > great > > > > improvemant. Thanks for making it work. > > > > > > The certs are in the configuration? is there a command or option to > get > > > them? > > > > > > > On Mon, Apr 20, 2009 at 9:27 AM, Teun Vink > wrote: > > > > > > > > > On Thu, 2009-04-16 at 22:29 +0000, john heasley wrote: > > > > > > I don't have a F5 box, but had put together a script while > someone > > > had > > > > > > provided remote access, but hadn't finished testing it. Would > > > someone > > > > > > with one an F5 download > > > > > > ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a10.tar.gz > > > > > > and test it, please. > > > > > > > > > > Just did a quick test, it works fine for me. I had some issues with > the > > > > > previous version which seemed to have some ordering issues in the > > > > > output, which resulted in false diffs every single run. I don't see > > > them > > > > > in this version, so I'm happy :) > > > > > > > > > > regards, > > > > > Teun > > > > > > > > > > _______________________________________________ > > > > > Rancid-discuss mailing list > > > > > Rancid-discuss at shrubbery.net > > > > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > > > > > _______________________________________________ > > > Rancid-discuss mailing list > > > Rancid-discuss at shrubbery.net > > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > _______________________________________________ > > > Rancid-discuss mailing list > > > Rancid-discuss at shrubbery.net > > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090420/e14ac508/attachment.html From mashcraft at omniture.com Mon Apr 20 20:01:10 2009 From: mashcraft at omniture.com (Mike Ashcraft) Date: Mon, 20 Apr 2009 14:01:10 -0600 Subject: [rancid] Re: F5 ("bigip") script In-Reply-To: References: <20090416222907.GZ25942@shrubbery.net> <1240234057.11944.39.camel@moridin.office.bit.nl.office.bit.nl> <20090420172840.GM21045@shrubbery.net> <370BD08812250148A3EC9CFC41A6D60101A65B15CC@EXCHANGE1.orm.omniture.com> <20090420183710.GT21045@shrubbery.net> Message-ID: <370BD08812250148A3EC9CFC41A6D60101A65B165A@EXCHANGE1.orm.omniture.com> I added the SSL directory listings to track changes to SSL certs [adds/removals/updates]. Storing these as part of the config within rancid would be reasonable only if there were very few certs. They are best archived elsewhere by backing up the .ucs file as Marcus mentioned, an rsync to a backup host or similar methods. Mike From: marcus gaysek [mailto:mgaysek at gmail.com] Sent: Monday, April 20, 2009 12:49 PM To: john heasley Cc: Mike Ashcraft; rancid-discuss at shrubbery.net Subject: Re: [rancid] Re: F5 ("bigip") script Those are actually directories. The name of the certs are always different. Both cat and more are available (BigIPs are linux/bsd based). I believe all the files below ssl directory are required, excluding ca-bundle.crt. The amount of files depends on how many certs are installed on the device. There are four directories: ssl.crl ssl.crt ssl.csr ssl.key On Mon, Apr 20, 2009 at 2:37 PM, john heasley > wrote: Mon, Apr 20, 2009 at 02:08:25PM -0400, marcus gaysek: > The certs are located in in the config/ssl/ sub-directories, which would > need to be download'd. I would think that functionality would be outside of > Rancid, but if you lost your LTM you would need them to rebuild a new one. > You capture their names as part of the config. They are listed in the last > few lines. if they're always these files {'ls --full-time --color=never /config/ssl/ssl.crt' => 'ShowSslCrt'}, {'ls --full-time --color=never /config/ssl/ssl.key' => 'ShowSslKey'}, is there a "cat" or "more" command? Their contents should be ascii. > There is a command in the BigIP devices (GTMs and LTMs) that captures all > the files and compresses them in a .ucs file. Once they are created they > can be downloaded and used to restore a BigIP. > > On Mon, Apr 20, 2009 at 1:37 PM, Mike Ashcraft >wrote: > > > LTM = Local Traffic Manager = F5 Big-IP > > > > Thanks > > > > -----Original Message----- > > From: rancid-discuss-bounces at shrubbery.net [mailto: > > rancid-discuss-bounces at shrubbery.net] On Behalf Of john heasley > > Sent: Monday, April 20, 2009 11:29 AM > > To: marcus gaysek > > Cc: rancid-discuss at shrubbery.net > > Subject: [rancid] Re: F5 ("bigip") script > > > > Mon, Apr 20, 2009 at 12:34:18PM -0400, marcus gaysek: > > > I have tested with a couple of Cisco devices, including an ASA and I am > > not > > > seeing the formatting issues I have seen in the past. > > > > thats probably luck. > > > > > The LTM config looks great. The only thing that I can see that needs to > > be > > > > what is 'LTM'? > > > > > manually downloaded are the certs. All in all this seems to be a great > > > improvemant. Thanks for making it work. > > > > The certs are in the configuration? is there a command or option to get > > them? > > > > > On Mon, Apr 20, 2009 at 9:27 AM, Teun Vink > wrote: > > > > > > > On Thu, 2009-04-16 at 22:29 +0000, john heasley wrote: > > > > > I don't have a F5 box, but had put together a script while someone > > had > > > > > provided remote access, but hadn't finished testing it. Would > > someone > > > > > with one an F5 download > > > > > ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a10.tar.gz > > > > > and test it, please. > > > > > > > > Just did a quick test, it works fine for me. I had some issues with the > > > > previous version which seemed to have some ordering issues in the > > > > output, which resulted in false diffs every single run. I don't see > > them > > > > in this version, so I'm happy :) > > > > > > > > regards, > > > > Teun > > > > > > > > _______________________________________________ > > > > Rancid-discuss mailing list > > > > Rancid-discuss at shrubbery.net > > > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090420/a89f4b35/attachment.html From heas at shrubbery.net Mon Apr 20 20:34:18 2009 From: heas at shrubbery.net (john heasley) Date: Mon, 20 Apr 2009 20:34:18 +0000 Subject: [rancid] Re: F5 ("bigip") script In-Reply-To: <370BD08812250148A3EC9CFC41A6D60101A65B165A@EXCHANGE1.orm.omniture.com> References: <20090416222907.GZ25942@shrubbery.net> <1240234057.11944.39.camel@moridin.office.bit.nl.office.bit.nl> <20090420172840.GM21045@shrubbery.net> <370BD08812250148A3EC9CFC41A6D60101A65B15CC@EXCHANGE1.orm.omniture.com> <20090420183710.GT21045@shrubbery.net> <370BD08812250148A3EC9CFC41A6D60101A65B165A@EXCHANGE1.orm.omniture.com> Message-ID: <20090420203418.GA21045@shrubbery.net> Mon, Apr 20, 2009 at 02:01:10PM -0600, Mike Ashcraft: > I added the SSL directory listings to track changes to SSL certs [adds/removals/updates]. > > Storing these as part of the config within rancid would be reasonable only if there were very few certs. They are best archived elsewhere by backing up the .ucs file as Marcus mentioned, an rsync to a backup host or similar methods. > > Mike thanks. i'm drawing the line here; 2.3.2a10 will be 2.3.2 release. the motorola, wti, digi, netgear, and adtran stuff will go into 2.4. > From: marcus gaysek [mailto:mgaysek at gmail.com] > Sent: Monday, April 20, 2009 12:49 PM > To: john heasley > Cc: Mike Ashcraft; rancid-discuss at shrubbery.net > Subject: Re: [rancid] Re: F5 ("bigip") script > > Those are actually directories. The name of the certs are always different. > > Both cat and more are available (BigIPs are linux/bsd based). I believe all the files below ssl directory are required, excluding ca-bundle.crt. The amount of files depends on how many certs are installed on the device. > > There are four directories: ssl.crl ssl.crt ssl.csr ssl.key > > On Mon, Apr 20, 2009 at 2:37 PM, john heasley > wrote: > Mon, Apr 20, 2009 at 02:08:25PM -0400, marcus gaysek: > > The certs are located in in the config/ssl/ sub-directories, which would > > need to be download'd. I would think that functionality would be outside of > > Rancid, but if you lost your LTM you would need them to rebuild a new one. > > You capture their names as part of the config. They are listed in the last > > few lines. > if they're always these files > {'ls --full-time --color=never /config/ssl/ssl.crt' => 'ShowSslCrt'}, > {'ls --full-time --color=never /config/ssl/ssl.key' => 'ShowSslKey'}, > is there a "cat" or "more" command? Their contents should be ascii. > > > There is a command in the BigIP devices (GTMs and LTMs) that captures all > > the files and compresses them in a .ucs file. Once they are created they > > can be downloaded and used to restore a BigIP. > > > > On Mon, Apr 20, 2009 at 1:37 PM, Mike Ashcraft >wrote: > > > > > LTM = Local Traffic Manager = F5 Big-IP > > > > > > Thanks > > > > > > -----Original Message----- > > > From: rancid-discuss-bounces at shrubbery.net [mailto: > > > rancid-discuss-bounces at shrubbery.net] On Behalf Of john heasley > > > Sent: Monday, April 20, 2009 11:29 AM > > > To: marcus gaysek > > > Cc: rancid-discuss at shrubbery.net > > > Subject: [rancid] Re: F5 ("bigip") script > > > > > > Mon, Apr 20, 2009 at 12:34:18PM -0400, marcus gaysek: > > > > I have tested with a couple of Cisco devices, including an ASA and I am > > > not > > > > seeing the formatting issues I have seen in the past. > > > > > > thats probably luck. > > > > > > > The LTM config looks great. The only thing that I can see that needs to > > > be > > > > > > what is 'LTM'? > > > > > > > manually downloaded are the certs. All in all this seems to be a great > > > > improvemant. Thanks for making it work. > > > > > > The certs are in the configuration? is there a command or option to get > > > them? > > > > > > > On Mon, Apr 20, 2009 at 9:27 AM, Teun Vink > wrote: > > > > > > > > > On Thu, 2009-04-16 at 22:29 +0000, john heasley wrote: > > > > > > I don't have a F5 box, but had put together a script while someone > > > had > > > > > > provided remote access, but hadn't finished testing it. Would > > > someone > > > > > > with one an F5 download > > > > > > ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a10.tar.gz > > > > > > and test it, please. > > > > > > > > > > Just did a quick test, it works fine for me. I had some issues with the > > > > > previous version which seemed to have some ordering issues in the > > > > > output, which resulted in false diffs every single run. I don't see > > > them > > > > > in this version, so I'm happy :) > > > > > > > > > > regards, > > > > > Teun > > > > > > > > > > _______________________________________________ > > > > > Rancid-discuss mailing list > > > > > Rancid-discuss at shrubbery.net > > > > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > > > > > _______________________________________________ > > > Rancid-discuss mailing list > > > Rancid-discuss at shrubbery.net > > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > _______________________________________________ > > > Rancid-discuss mailing list > > > Rancid-discuss at shrubbery.net > > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > From peter.serwe at gmail.com Mon Apr 20 23:03:37 2009 From: peter.serwe at gmail.com (Peter Serwe) Date: Mon, 20 Apr 2009 16:03:37 -0700 Subject: [rancid] Re: Rancid with Fortigate Devices? In-Reply-To: <20090420174551.GO21045@shrubbery.net> References: <20090416182401.GE25942@shrubbery.net> <20090420162509.GB21045@shrubbery.net> <20090420174551.GO21045@shrubbery.net> Message-ID: On Mon, Apr 20, 2009 at 10:45 AM, john heasley wrote: > yep, your prompt is nFGT100C3G0860259~ $ > but the script expects -> Ah yes, I had an issue with my new router guy wanting to change all of the router prompts for BCP 38 compliance, and I had to veto the prompt change because I don't want to see either of my CMS's broken. That would be another awesome thing to break out into a configuration file per device, having a variable to set the regex of the prompt relatively easily, or just set a simple wildcard. I wonder if that's even possible with expect. Or if it would be possible to get the prompt, and set it on the fly, so that rancid doesn't care what the prompt actually is. Peter -- ???? From carlo.finotti at gmail.com Tue Apr 21 01:37:22 2009 From: carlo.finotti at gmail.com (Carlo Finotti) Date: Mon, 20 Apr 2009 21:37:22 -0400 Subject: [rancid] rancid with Cisco ASA 5520 in Multiple Context Mode Message-ID: So I have been trying to use rancid with "clogin" to simply backups up my firewall running in multiple context mode. When I run the command below from a ubuntu command line it works with no issues but if I add it to a bash script it breaks, any suggestions? sudo /usr/lib/rancid/bin/clogin -f /home/user/.cloginrc-firewall -c 'terminal pager 0; changeto context test; sh run; changeto context test1; changeto context test2; sh run; changeto context test3; exit' 10.2.2.1 > /home/user/backups/firewall-test.cfg If anyone has any suggestions on creating a bash script with "clogin" I would appreciate the feedback because I have been racking my brain :-\ And I am by no means a linux guru so that is why I am struggling. My goal is to back up (4) separate firewalls, (3) core switches and (6) routers while making it as simple as possible. Thanks, Carlo From heas at shrubbery.net Tue Apr 21 03:45:07 2009 From: heas at shrubbery.net (john heasley) Date: Tue, 21 Apr 2009 03:45:07 +0000 Subject: [rancid] Re: Rancid with Fortigate Devices? In-Reply-To: References: <20090416182401.GE25942@shrubbery.net> <20090420162509.GB21045@shrubbery.net> <20090420174551.GO21045@shrubbery.net> Message-ID: <20090421034507.GD6269@shrubbery.net> Mon, Apr 20, 2009 at 04:03:37PM -0700, Peter Serwe: > On Mon, Apr 20, 2009 at 10:45 AM, john heasley wrote: > > yep, your prompt is nFGT100C3G0860259~ $ > > but the script expects -> > > Ah yes, I had an issue with my new router guy wanting to change all of > the router prompts > for BCP 38 compliance, and I had to veto the prompt change because I > don't want to see either > of my CMS's broken. > > That would be another awesome thing to break out into a configuration > file per device, having > a variable to set the regex of the prompt relatively easily, or just > set a simple wildcard. I wonder > if that's even possible with expect. Or if it would be possible to > get the prompt, and set it on the fly, > so that rancid doesn't care what the prompt actually is. i haven't reviewed this script, but most of the others do this. they do however need some kind of hint. once they find that string, the full prompt is picked-up from that. the hint is not cloginrc-programmable. but...why change it in the first place. I'm assuming that this device's prompt always ends with "-> ", as I was told it does. From heas at shrubbery.net Tue Apr 21 03:52:49 2009 From: heas at shrubbery.net (john heasley) Date: Tue, 21 Apr 2009 03:52:49 +0000 Subject: [rancid] Re: rancid with Cisco ASA 5520 in Multiple Context Mode In-Reply-To: References: Message-ID: <20090421035249.GE6269@shrubbery.net> Mon, Apr 20, 2009 at 09:37:22PM -0400, Carlo Finotti: > So I have been trying to use rancid with "clogin" to simply backups up > my firewall running in multiple context mode. When I run the command > below from a ubuntu command line it works with no issues but if I add > it to a bash script it breaks, any suggestions? > > sudo /usr/lib/rancid/bin/clogin -f /home/user/.cloginrc-firewall -c > 'terminal pager 0; changeto context test; sh run; changeto context > test1; changeto context test2; sh run; changeto context test3; exit' > 10.2.2.1 > /home/user/backups/firewall-test.cfg > > If anyone has any suggestions on creating a bash script with "clogin" > I would appreciate the feedback because I have been racking my brain > :-\ And I am by no means a linux guru so that is why I am struggling. > My goal is to back up (4) separate firewalls, (3) core switches and > (6) routers while making it as simple as possible. this is probably one of those boxes that gets confused by terminal types. set TERM to something like vt100. From jmoorse at gmail.com Tue Apr 21 03:05:58 2009 From: jmoorse at gmail.com (Jeff Moorse) Date: Mon, 20 Apr 2009 20:05:58 -0700 Subject: [rancid] Re: Rancid with Fortigate Devices? In-Reply-To: <20090420174551.GO21045@shrubbery.net> References: <20090416182401.GE25942@shrubbery.net> <20090420162509.GB21045@shrubbery.net> <20090420174551.GO21045@shrubbery.net> Message-ID: <795645b20904202005g7064098ama88dd09446e7a32@mail.gmail.com> Anyone know what the correct syntax for the expect script would be to match prompt (assuming the string of #'s following FGT is variable)? I have experienced similar problems Thanks On Mon, Apr 20, 2009 at 10:45 AM, john heasley wrote: > yep, your prompt is nFGT100C3G0860259~ $ > but the script expects -> > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > -- -- Jeff Moorse -- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090420/fc052eca/attachment.html From teun at moonblade.net Tue Apr 21 06:50:15 2009 From: teun at moonblade.net (Teun Vink) Date: Tue, 21 Apr 2009 08:50:15 +0200 Subject: [rancid] Re: F5 ("bigip") script In-Reply-To: <20090420172840.GM21045@shrubbery.net> References: <20090416222907.GZ25942@shrubbery.net> <1240234057.11944.39.camel@moridin.office.bit.nl.office.bit.nl> <20090420172840.GM21045@shrubbery.net> Message-ID: <1240296615.27514.2.camel@moridin.office.bit.nl.office.bit.nl> On Mon, 2009-04-20 at 17:28 +0000, john heasley wrote: [...] > what is 'LTM'? > The Local Traffic Manager, one of the products of F5. > > manually downloaded are the certs. All in all this seems to be a great > > improvemant. Thanks for making it work. > > The certs are in the configuration? is there a command or option to get > them? they are stored on local disk in /config/ssl/ssl.csr/* /config/ssl/ssl.key/* /config/ssl/ssl.crl/* /config/ssl/ssl.crt/* Regards, Teun From froztbyte at froztbyte.net Tue Apr 21 09:22:27 2009 From: froztbyte at froztbyte.net (JP Viljoen) Date: Tue, 21 Apr 2009 11:22:27 +0200 Subject: [rancid] Timeouts on Cisco ASA Message-ID: <200904211122.28498.froztbyte@froztbyte.net> I've got a few Cisco devices that I'm monitoring configs and changes to the configs with using RANCID, and among them is an ASA. The problem I have is that logging into the ASA with clogin seems to just stall. It gets as far the prompt immediately after login, and from there's it's just dead. rancid at mon:~/rancid/bin$ ./clogin 10.1.2.1 10.1.2.1 spawn ssh -c 3des -x -l user 10.1.2.1 user at 10.1.2.1's password: Type help or '?' for a list of available commands. ciscoasa> {TIMEOUT here} Entering commands at this point is unsuccessful, as is giving commands with the -c parameter. Logging into the device with ssh on its own works perfectly though: rancid at mon:~/rancid/bin$ ssh user at 10.1.2.1 user at 10.1.2.1's password: Type help or '?' for a list of available commands. ciscoasa> ? clear Reset functions enable Turn on privileged commands My .cloginrc for the specific device is as follows: add user 10.1.2.1 {user} add password 10.1.2.1 {loginpass} {enablepass} add method 10.1.2.1 ssh Initially the configuration was with Telnet, using which I experienced the same timeout issue. After some reading through the archives I established that it might be worth attempting to use SSH and have now run into the same issue. If anyone else has perhaps solved this issue, or have a pointer on what I could look at? From carlo.finotti at gmail.com Tue Apr 21 12:15:34 2009 From: carlo.finotti at gmail.com (Carlo Finotti) Date: Tue, 21 Apr 2009 08:15:34 -0400 Subject: [rancid] Re: Timeouts on Cisco ASA In-Reply-To: <200904211122.28498.froztbyte@froztbyte.net> References: <200904211122.28498.froztbyte@froztbyte.net> Message-ID: Yep that is basically the same thing that is happening to me. It seems like the package works great for routers and switches but is a bit buggy for an ASA especially in multiple context mode. Hopefully someone has this setup and working and can shed some light on our dilemma. On Tue, Apr 21, 2009 at 5:22 AM, JP Viljoen wrote: > I've got a few Cisco devices that I'm monitoring configs and changes to the > configs with using RANCID, and among them is an ASA. The problem I have is that > logging into the ASA with clogin seems to just stall. It gets as far the > prompt immediately after login, and from there's it's just dead. > > rancid at mon:~/rancid/bin$ ./clogin 10.1.2.1 > 10.1.2.1 > spawn ssh -c 3des -x -l user 10.1.2.1 > user at 10.1.2.1's password: > Type help or '?' for a list of available commands. > ciscoasa> > {TIMEOUT here} > > Entering commands at this point is unsuccessful, as is giving commands with > the -c parameter. Logging into the device with ssh on its own works perfectly > though: > > rancid at mon:~/rancid/bin$ ssh user at 10.1.2.1 > user at 10.1.2.1's password: > Type help or '?' for a list of available commands. > ciscoasa> ? > > ?clear ? ? ? Reset functions > ?enable ? ? ?Turn on privileged commands > > > My .cloginrc for the specific device is as follows: > > add user 10.1.2.1 ? ? ? ? ? ? ? {user} > add password 10.1.2.1 ? ? ? ? ? {loginpass} {enablepass} > add method 10.1.2.1 ? ? ? ? ? ? ssh > > Initially the configuration was with Telnet, using which I experienced the same > timeout issue. After some reading through the archives I established that it > might be worth attempting to use SSH and have now run into the same issue. If > anyone else has perhaps solved this issue, or have a pointer on what I could > look at? > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From froztbyte at froztbyte.net Tue Apr 21 13:02:10 2009 From: froztbyte at froztbyte.net (JP Viljoen) Date: Tue, 21 Apr 2009 15:02:10 +0200 Subject: [rancid] Re: Timeouts on Cisco ASA In-Reply-To: References: <200904211122.28498.froztbyte@froztbyte.net> Message-ID: <200904211502.10961.froztbyte@froztbyte.net> On Tuesday 21 April 2009 14:43:30 Deny IP Any Any wrote: > It sounds like your setup is expecting it to drop directly to enabled > mode, which is why it is timing out (it's likely looking for a # in > the prompt). double-check your .cloginrc file to make sure there isn't > an autoenable setting that would be applying to your device. > > RANCID against an ASA works for me here: > > rancid at wh-mon06:~/bin$ ./clogin 192.168.121.11 > 192.168.121.11 > spawn ssh -c 3des -x -l rancid 192.168.121.11 > rancid at 192.168.121.11's password: > Type help or '?' for a list of available commands. > P10-JAX-ASA> enable > Password: ************ > P10-JAX-ASA# > P10-JAX-ASA# sh ver > > Cisco Adaptive Security Appliance Software Version 8.0(4) > Device Manager Version 6.1(5)57 Speaking to a friend of mine earlier after he saw my post to the list, I did try debugging with noenable and other parameters and even adjusting the expected enable prompt to specifically match "Password:" (even though the default should do this) as well as ensuring it doesn't try to autoenable, all unsuccessfully. Running in debug mode I get the following output near the end (sorry if some of it is unnecessary, I'm still busy learning the flow of RANCID and getting to know what's important where): expect: does " \r\nType help or '?' for a list of available commands. \r\n\rciscoasa> " (spawn_id exp6) match glob pattern "unknown host\r"? no expect: does " \r\nType help or '?' for a list of available commands. \r\n\rciscoasa> " (spawn_id exp6) match glob pattern "Host is unreachable"? no "No address associated with name"? no "(Host key not found |The authenticity of host .* be established).*(yes/no)?"? no "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no "Offending key for .* (yes/no)?"? no "(denied|Sorry)"? no "Login failed"? no "% (Bad passwords|Authentication failed)"? no "Press any key to continue"? no "Enter Selection: "? no "Last login:"? no "@[^\r\n]+ ([Pp]assword|passwd):"? no "(Username|Login|login|user name|User):"? no "([Pp]assword|passwd):"? no "(#| \(enable\))"? no "Login invalid"? no expect: timed out Error: TIMEOUT reached write() failed to write anything - will sleep(1) and retry... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090421/846dbcdf/attachment.html From mgaysek at gmail.com Tue Apr 21 13:39:16 2009 From: mgaysek at gmail.com (marcus gaysek) Date: Tue, 21 Apr 2009 09:39:16 -0400 Subject: [rancid] Re: Timeouts on Cisco ASA In-Reply-To: References: <200904211122.28498.froztbyte@froztbyte.net> Message-ID: I have quite a few ASAs in my environment and do not have that issue. What version of rancid are you both running? Is it possible something else in your .cloginrc config is taking precedence? What happens if you run: ./clogin -u user-name -p user-password -e enable-password 10.1.2.1 On Tue, Apr 21, 2009 at 8:15 AM, Carlo Finotti wrote: > Yep that is basically the same thing that is happening to me. It > seems like the package works great for routers and switches but is a > bit buggy for an ASA especially in multiple context mode. Hopefully > someone has this setup and working and can shed some light on our > dilemma. > > > On Tue, Apr 21, 2009 at 5:22 AM, JP Viljoen > wrote: > > I've got a few Cisco devices that I'm monitoring configs and changes to > the > > configs with using RANCID, and among them is an ASA. The problem I have > is that > > logging into the ASA with clogin seems to just stall. It gets as far the > > prompt immediately after login, and from there's it's just dead. > > > > rancid at mon:~/rancid/bin$ ./clogin 10.1.2.1 > > 10.1.2.1 > > spawn ssh -c 3des -x -l user 10.1.2.1 > > user at 10.1.2.1's password: > > Type help or '?' for a list of available commands. > > ciscoasa> > > {TIMEOUT here} > > > > Entering commands at this point is unsuccessful, as is giving commands > with > > the -c parameter. Logging into the device with ssh on its own works > perfectly > > though: > > > > rancid at mon:~/rancid/bin$ ssh user at 10.1.2.1 > > user at 10.1.2.1's password: > > Type help or '?' for a list of available commands. > > ciscoasa> ? > > > > clear Reset functions > > enable Turn on privileged commands > > > > > > My .cloginrc for the specific device is as follows: > > > > add user 10.1.2.1 {user} > > add password 10.1.2.1 {loginpass} {enablepass} > > add method 10.1.2.1 ssh > > > > Initially the configuration was with Telnet, using which I experienced > the same > > timeout issue. After some reading through the archives I established that > it > > might be worth attempting to use SSH and have now run into the same > issue. If > > anyone else has perhaps solved this issue, or have a pointer on what I > could > > look at? > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090421/e4c20278/attachment.html From smunzani at comcast.net Tue Apr 21 14:10:40 2009 From: smunzani at comcast.net (Sam Munzani) Date: Tue, 21 Apr 2009 09:10:40 -0500 Subject: [rancid] Re: F5 ("bigip") script In-Reply-To: <20090420203418.GA21045@shrubbery.net> References: <20090416222907.GZ25942@shrubbery.net> <1240234057.11944.39.camel@moridin.office.bit.nl.office.bit.nl> <20090420172840.GM21045@shrubbery.net> <370BD08812250148A3EC9CFC41A6D60101A65B15CC@EXCHANGE1.orm.omniture.com> <20090420183710.GT21045@shrubbery.net> <370BD08812250148A3EC9CFC41A6D60101A65B165A@EXCHANGE1.orm.omniture.com> <20090420203418.GA21045@shrubbery.net> Message-ID: <49EDD3E0.6050101@comcast.net> john heasley wrote: > Mon, Apr 20, 2009 at 02:01:10PM -0600, Mike Ashcraft: > >> I added the SSL directory listings to track changes to SSL certs [adds/removals/updates]. >> >> Storing these as part of the config within rancid would be reasonable only if there were very few certs. They are best archived elsewhere by backing up the .ucs file as Marcus mentioned, an rsync to a backup host or similar methods. >> >> Mike >> > > thanks. i'm drawing the line here; 2.3.2a10 will be 2.3.2 release. the > motorola, wti, digi, netgear, and adtran stuff will go into 2.4. > I second your decision. F5 has support has been stable now so making it to a major release is good move. Rest we can work towards next release. Thanks, sam > >> From: marcus gaysek [mailto:mgaysek at gmail.com] >> Sent: Monday, April 20, 2009 12:49 PM >> To: john heasley >> Cc: Mike Ashcraft; rancid-discuss at shrubbery.net >> Subject: Re: [rancid] Re: F5 ("bigip") script >> >> Those are actually directories. The name of the certs are always different. >> >> Both cat and more are available (BigIPs are linux/bsd based). I believe all the files below ssl directory are required, excluding ca-bundle.crt. The amount of files depends on how many certs are installed on the device. >> >> There are four directories: ssl.crl ssl.crt ssl.csr ssl.key >> >> On Mon, Apr 20, 2009 at 2:37 PM, john heasley > wrote: >> Mon, Apr 20, 2009 at 02:08:25PM -0400, marcus gaysek: >> >>> The certs are located in in the config/ssl/ sub-directories, which would >>> need to be download'd. I would think that functionality would be outside of >>> Rancid, but if you lost your LTM you would need them to rebuild a new one. >>> You capture their names as part of the config. They are listed in the last >>> few lines. >>> >> if they're always these files >> {'ls --full-time --color=never /config/ssl/ssl.crt' => 'ShowSslCrt'}, >> {'ls --full-time --color=never /config/ssl/ssl.key' => 'ShowSslKey'}, >> is there a "cat" or "more" command? Their contents should be ascii. >> >> >>> There is a command in the BigIP devices (GTMs and LTMs) that captures all >>> the files and compresses them in a .ucs file. Once they are created they >>> can be downloaded and used to restore a BigIP. >>> >>> On Mon, Apr 20, 2009 at 1:37 PM, Mike Ashcraft >wrote: >>> >>> >>>> LTM = Local Traffic Manager = F5 Big-IP >>>> >>>> Thanks >>>> >>>> -----Original Message----- >>>> From: rancid-discuss-bounces at shrubbery.net [mailto: >>>> rancid-discuss-bounces at shrubbery.net] On Behalf Of john heasley >>>> Sent: Monday, April 20, 2009 11:29 AM >>>> To: marcus gaysek >>>> Cc: rancid-discuss at shrubbery.net >>>> Subject: [rancid] Re: F5 ("bigip") script >>>> >>>> Mon, Apr 20, 2009 at 12:34:18PM -0400, marcus gaysek: >>>> >>>>> I have tested with a couple of Cisco devices, including an ASA and I am >>>>> >>>> not >>>> >>>>> seeing the formatting issues I have seen in the past. >>>>> >>>> thats probably luck. >>>> >>>> >>>>> The LTM config looks great. The only thing that I can see that needs to >>>>> >>>> be >>>> >>>> what is 'LTM'? >>>> >>>> >>>>> manually downloaded are the certs. All in all this seems to be a great >>>>> improvemant. Thanks for making it work. >>>>> >>>> The certs are in the configuration? is there a command or option to get >>>> them? >>>> >>>> >>>>> On Mon, Apr 20, 2009 at 9:27 AM, Teun Vink > wrote: >>>>> >>>>> >>>>>> On Thu, 2009-04-16 at 22:29 +0000, john heasley wrote: >>>>>> >>>>>>> I don't have a F5 box, but had put together a script while someone >>>>>>> >>>> had >>>> >>>>>>> provided remote access, but hadn't finished testing it. Would >>>>>>> >>>> someone >>>> >>>>>>> with one an F5 download >>>>>>> ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a10.tar.gz >>>>>>> and test it, please. >>>>>>> >>>>>> Just did a quick test, it works fine for me. I had some issues with the >>>>>> previous version which seemed to have some ordering issues in the >>>>>> output, which resulted in false diffs every single run. I don't see >>>>>> >>>> them >>>> >>>>>> in this version, so I'm happy :) >>>>>> >>>>>> regards, >>>>>> Teun >>>>>> >>>>>> _______________________________________________ >>>>>> Rancid-discuss mailing list >>>>>> Rancid-discuss at shrubbery.net >>>>>> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss >>>>>> >>>>>> >>>> _______________________________________________ >>>> Rancid-discuss mailing list >>>> Rancid-discuss at shrubbery.net >>>> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss >>>> _______________________________________________ >>>> Rancid-discuss mailing list >>>> Rancid-discuss at shrubbery.net >>>> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss >>>> >>>> > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090421/2e3273af/attachment.html From smunzani at comcast.net Tue Apr 21 14:12:54 2009 From: smunzani at comcast.net (Sam Munzani) Date: Tue, 21 Apr 2009 09:12:54 -0500 Subject: [rancid] Re: F5 ("bigip") script In-Reply-To: <370BD08812250148A3EC9CFC41A6D60101A65B165A@EXCHANGE1.orm.omniture.com> References: <20090416222907.GZ25942@shrubbery.net> <1240234057.11944.39.camel@moridin.office.bit.nl.office.bit.nl> <20090420172840.GM21045@shrubbery.net> <370BD08812250148A3EC9CFC41A6D60101A65B15CC@EXCHANGE1.orm.omniture.com> <20090420183710.GT21045@shrubbery.net> <370BD08812250148A3EC9CFC41A6D60101A65B165A@EXCHANGE1.orm.omniture.com> Message-ID: <49EDD466.4010508@comcast.net> Usually SSL certs don't change every day. The approach I have taken is tar ball them all and scp over. Then do those manual steps only when the certs change. Thanks, Sam > > I added the SSL directory listings to track changes to SSL certs > [adds/removals/updates]. > > > > Storing these as part of the config within rancid would be reasonable > only if there were very few certs. They are best archived elsewhere > by backing up the .ucs file as Marcus mentioned, an rsync to a backup > host or similar methods. > > > > Mike > > > > *From:* marcus gaysek [mailto:mgaysek at gmail.com] > *Sent:* Monday, April 20, 2009 12:49 PM > *To:* john heasley > *Cc:* Mike Ashcraft; rancid-discuss at shrubbery.net > *Subject:* Re: [rancid] Re: F5 ("bigip") script > > > > Those are actually directories. The name of the certs are always > different. > > Both cat and more are available (BigIPs are linux/bsd based). I > believe all the files below ssl directory are required, excluding > ca-bundle.crt. The amount of files depends on how many certs are > installed on the device. > > There are four directories: ssl.crl ssl.crt ssl.csr ssl.key > > On Mon, Apr 20, 2009 at 2:37 PM, john heasley > wrote: > > Mon, Apr 20, 2009 at 02:08:25PM -0400, marcus gaysek: > > > The certs are located in in the config/ssl/ sub-directories, which > would > > need to be download'd. I would think that functionality would be > outside of > > Rancid, but if you lost your LTM you would need them to rebuild a > new one. > > You capture their names as part of the config. They are listed in > the last > > few lines. > > if they're always these files > {'ls --full-time --color=never /config/ssl/ssl.crt' => > 'ShowSslCrt'}, > {'ls --full-time --color=never /config/ssl/ssl.key' => > 'ShowSslKey'}, > is there a "cat" or "more" command? Their contents should be ascii. > > > > There is a command in the BigIP devices (GTMs and LTMs) that > captures all > > the files and compresses them in a .ucs file. Once they are created > they > > can be downloaded and used to restore a BigIP. > > > > On Mon, Apr 20, 2009 at 1:37 PM, Mike Ashcraft > >wrote: > > > > > LTM = Local Traffic Manager = F5 Big-IP > > > > > > Thanks > > > > > > -----Original Message----- > > > From: rancid-discuss-bounces at shrubbery.net > [mailto: > > > rancid-discuss-bounces at shrubbery.net > ] On Behalf Of john heasley > > > Sent: Monday, April 20, 2009 11:29 AM > > > To: marcus gaysek > > > Cc: rancid-discuss at shrubbery.net > > > Subject: [rancid] Re: F5 ("bigip") script > > > > > > Mon, Apr 20, 2009 at 12:34:18PM -0400, marcus gaysek: > > > > I have tested with a couple of Cisco devices, including an ASA > and I am > > > not > > > > seeing the formatting issues I have seen in the past. > > > > > > thats probably luck. > > > > > > > The LTM config looks great. The only thing that I can see that > needs to > > > be > > > > > > what is 'LTM'? > > > > > > > manually downloaded are the certs. All in all this seems to be a > great > > > > improvemant. Thanks for making it work. > > > > > > The certs are in the configuration? is there a command or option > to get > > > them? > > > > > > > On Mon, Apr 20, 2009 at 9:27 AM, Teun Vink > wrote: > > > > > > > > > On Thu, 2009-04-16 at 22:29 +0000, john heasley wrote: > > > > > > I don't have a F5 box, but had put together a script while > someone > > > had > > > > > > provided remote access, but hadn't finished testing it. Would > > > someone > > > > > > with one an F5 download > > > > > > ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a10.tar.gz > > > > > > and test it, please. > > > > > > > > > > Just did a quick test, it works fine for me. I had some issues > with the > > > > > previous version which seemed to have some ordering issues in the > > > > > output, which resulted in false diffs every single run. I > don't see > > > them > > > > > in this version, so I'm happy :) > > > > > > > > > > regards, > > > > > Teun > > > > > > > > > > _______________________________________________ > > > > > Rancid-discuss mailing list > > > > > Rancid-discuss at shrubbery.net > > > > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > > > > > _______________________________________________ > > > Rancid-discuss mailing list > > > Rancid-discuss at shrubbery.net > > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > _______________________________________________ > > > Rancid-discuss mailing list > > > Rancid-discuss at shrubbery.net > > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090421/fc48ed62/attachment.html From heas at shrubbery.net Tue Apr 21 14:54:04 2009 From: heas at shrubbery.net (john heasley) Date: Tue, 21 Apr 2009 14:54:04 +0000 Subject: [rancid] Re: Timeouts on Cisco ASA In-Reply-To: References: <200904211122.28498.froztbyte@froztbyte.net> Message-ID: <20090421145404.GE3772@shrubbery.net> Tue, Apr 21, 2009 at 09:39:16AM -0400, marcus gaysek: > I have quite a few ASAs in my environment and do not have that issue. > What version of rancid are you both running? > Is it possible something else in your .cloginrc config is taking precedence? > What happens if you run: ./clogin -u user-name -p user-password -e > enable-password 10.1.2.1 and -noenable and -d > > On Tue, Apr 21, 2009 at 8:15 AM, Carlo Finotti wrote: > > > Yep that is basically the same thing that is happening to me. It > > seems like the package works great for routers and switches but is a > > bit buggy for an ASA especially in multiple context mode. Hopefully > > someone has this setup and working and can shed some light on our > > dilemma. > > > > > > On Tue, Apr 21, 2009 at 5:22 AM, JP Viljoen > > wrote: > > > I've got a few Cisco devices that I'm monitoring configs and changes to > > the > > > configs with using RANCID, and among them is an ASA. The problem I have > > is that > > > logging into the ASA with clogin seems to just stall. It gets as far the > > > prompt immediately after login, and from there's it's just dead. > > > > > > rancid at mon:~/rancid/bin$ ./clogin 10.1.2.1 > > > 10.1.2.1 > > > spawn ssh -c 3des -x -l user 10.1.2.1 > > > user at 10.1.2.1's password: > > > Type help or '?' for a list of available commands. > > > ciscoasa> > > > {TIMEOUT here} > > > > > > Entering commands at this point is unsuccessful, as is giving commands > > with > > > the -c parameter. Logging into the device with ssh on its own works > > perfectly > > > though: > > > > > > rancid at mon:~/rancid/bin$ ssh user at 10.1.2.1 > > > user at 10.1.2.1's password: > > > Type help or '?' for a list of available commands. > > > ciscoasa> ? > > > > > > clear Reset functions > > > enable Turn on privileged commands > > > > > > > > > My .cloginrc for the specific device is as follows: > > > > > > add user 10.1.2.1 {user} > > > add password 10.1.2.1 {loginpass} {enablepass} > > > add method 10.1.2.1 ssh > > > > > > Initially the configuration was with Telnet, using which I experienced > > the same > > > timeout issue. After some reading through the archives I established that > > it > > > might be worth attempting to use SSH and have now run into the same > > issue. If > > > anyone else has perhaps solved this issue, or have a pointer on what I > > could > > > look at? > > > _______________________________________________ > > > Rancid-discuss mailing list > > > Rancid-discuss at shrubbery.net > > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From heas at shrubbery.net Tue Apr 21 14:55:07 2009 From: heas at shrubbery.net (john heasley) Date: Tue, 21 Apr 2009 14:55:07 +0000 Subject: [rancid] Re: Timeouts on Cisco ASA In-Reply-To: <200904211502.10961.froztbyte@froztbyte.net> References: <200904211122.28498.froztbyte@froztbyte.net> <200904211502.10961.froztbyte@froztbyte.net> Message-ID: <20090421145507.GF3772@shrubbery.net> Tue, Apr 21, 2009 at 03:02:10PM +0200, JP Viljoen: > On Tuesday 21 April 2009 14:43:30 Deny IP Any Any wrote: > > It sounds like your setup is expecting it to drop directly to enabled > > mode, which is why it is timing out (it's likely looking for a # in > > the prompt). double-check your .cloginrc file to make sure there isn't > > an autoenable setting that would be applying to your device. > > > > RANCID against an ASA works for me here: > > > > rancid at wh-mon06:~/bin$ ./clogin 192.168.121.11 > > 192.168.121.11 > > spawn ssh -c 3des -x -l rancid 192.168.121.11 > > rancid at 192.168.121.11's password: > > Type help or '?' for a list of available commands. > > P10-JAX-ASA> enable > > Password: ************ > > P10-JAX-ASA# > > P10-JAX-ASA# sh ver > > > > Cisco Adaptive Security Appliance Software Version 8.0(4) > > Device Manager Version 6.1(5)57 > > Speaking to a friend of mine earlier after he saw my post to the list, I did > try debugging with noenable and other parameters and even adjusting the > expected enable prompt to specifically match "Password:" (even though the > default should do this) as well as ensuring it doesn't try to autoenable, all > unsuccessfully. > > Running in debug mode I get the following output near the end (sorry if some > of it is unnecessary, I'm still busy learning the flow of RANCID and getting to > know what's important where): you havent included enough of the output. > expect: does " \r\nType help or '?' for a list of available commands. > \r\n\rciscoasa> " (spawn_id exp6) match glob pattern "unknown host\r"? no > > expect: does " \r\nType help or '?' for a list of available commands. > \r\n\rciscoasa> " (spawn_id exp6) match glob pattern "Host is unreachable"? no > "No address associated with name"? no > "(Host key not found |The authenticity of host .* be established).*(yes/no)?"? > no > "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no > "Offending key for .* (yes/no)?"? no > "(denied|Sorry)"? no > "Login failed"? no > "% (Bad passwords|Authentication failed)"? no > "Press any key to continue"? no > "Enter Selection: "? no > "Last login:"? no > "@[^\r\n]+ ([Pp]assword|passwd):"? no > "(Username|Login|login|user name|User):"? no > "([Pp]assword|passwd):"? no > "(#| \(enable\))"? no > "Login invalid"? no > expect: timed out > > Error: TIMEOUT reached > write() failed to write anything - will sleep(1) and retry... > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From stsimb at irc.gr Tue Apr 21 19:58:44 2009 From: stsimb at irc.gr (Sotiris Tsimbonis) Date: Tue, 21 Apr 2009 22:58:44 +0300 Subject: [rancid] Re: F5 ("bigip") script In-Reply-To: <1240296615.27514.2.camel@moridin.office.bit.nl.office.bit.nl> References: <20090416222907.GZ25942@shrubbery.net> <1240234057.11944.39.camel@moridin.office.bit.nl.office.bit.nl> <20090420172840.GM21045@shrubbery.net> <1240296615.27514.2.camel@moridin.office.bit.nl.office.bit.nl> Message-ID: <49EE2574.7040600@irc.gr> Teun Vink wrote, On 21/04/2009 09:50 AM: > On Mon, 2009-04-20 at 17:28 +0000, john heasley wrote: > [...] >> what is 'LTM'? >> > > The Local Traffic Manager, one of the products of F5. > >>> manually downloaded are the certs. All in all this seems to be a great >>> improvemant. Thanks for making it work. >> The certs are in the configuration? is there a command or option to get >> them? > > they are stored on local disk in > /config/ssl/ssl.csr/* > /config/ssl/ssl.key/* > /config/ssl/ssl.crl/* > /config/ssl/ssl.crt/* > Here is a small script I've put together and run on our LTM.. ---------------------------------------------------------------- bigip01:~# cat /root/rancid-ssl.sh #!/bin/bash ls -l /config/ssl/ssl.crt/*.crt for file in `echo /config/ssl/ssl.crt/*.crt` ; do if [ $file != "/config/ssl/ssl.crt/ca-bundle.crt" ] ; then echo " " echo Contents of $file follow: cat $file echo " " fi done ls -l /config/ssl/ssl.key/*.key for file in `echo /config/ssl/ssl.key/*.key` ; do echo " " echo Contents of $file follow: cat $file echo " " done echo "END-OF-RANCID-SSL" ---------------------------------------------------------------- and the corresponding mods sub in f5rancid .... @commandtable = ( ... {'/root/rancid-ssl.sh' => 'RancidSSL'}, sub RancidSSL { print STDERR " In ConfFile: $_" if ($debug); ProcessHistory("COMMENTS","","BO","!\n!\n! #### Running $cmd\n!\n!\n"); while () { tr/\015//d; last if (/^END-OF-RANCID-SSL/); # next if (/^(\s*|\s*$cmd\s*)$/); ProcessHistory("","","$cmd","$_"); } # ProcessHistory("","","$cmd","$_"); $found_end = 1; return(0); } Sotiris. > > Regards, > Teun > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From carlo.finotti at gmail.com Tue Apr 21 20:48:51 2009 From: carlo.finotti at gmail.com (Carlo Finotti) Date: Tue, 21 Apr 2009 16:48:51 -0400 Subject: [rancid] Re: rancid with Cisco ASA 5520 in Multiple Context Mode In-Reply-To: References: Message-ID: On Tue, Apr 21, 2009 at 10:56 AM, Carlo Finotti wrote: > But is your ASA running in multiple conext mode? ?How do you get > around running sudo everytime? > > here is an example: > > user at ciscobackup:~$ ./test2.sh > [sudo] password for user: > > This is what ends up in my firewall.cfg file. ?The clogin application > can ssh to the firewall but then it does not run any of the > pre-defined Cisco commands. ex (terminal pager 0; changeto context > firewall1; sh run; exit) > > spawn ssh -c 3des -x -l rancid 10.2.2.1 > rancid at 10.2.2.1's password: > Type help or '?' for a list of available commands. > firewall/admin> enable > Password: ********** > firewall/admin# > > > On Tue, Apr 21, 2009 at 8:38 AM, Deny IP Any Any wrote: >> is it possible your sudo is asking for a password? It'll save it the >> first time you manually do it, but when ran from a script, it might >> not. >> >> Your setup looks very similar to how I have several scripts setup: >> >> bwindle at wh-mon06:~$ more p10-jax-asa-cpu.sh >> #!/bin/sh >> NOW=`date +%d%b%Y-%H%M` >> >> ~rancid/bin/clogin -f /var/lib/rancid/.cloginrc -c 'ping web 192.168.122.12 ; sh >> ow int web ; show cpu usage ; show processes cpu-hog' 192.168.121.11 > /home/bwi >> ndle/jax-asa-failover/$NOW >> >> >> >> >> -- >> deny ip any any (4393649193 matches) >> >> >> On Mon, Apr 20, 2009 at 9:37 PM, Carlo Finotti wrote: >>> So I have been trying to use rancid with "clogin" to simply backups up >>> my firewall running in multiple context mode. ?When I run the command >>> below from a ubuntu command line it works with no issues but if I add >>> it to a bash script it breaks, any suggestions? >>> >>> sudo /usr/lib/rancid/bin/clogin -f /home/user/.cloginrc-firewall -c >>> 'terminal pager 0; changeto context test; sh run; changeto context >>> test1; changeto context test2; sh run; changeto context test3; exit' >>> 10.2.2.1 > /home/user/backups/firewall-test.cfg >>> >>> If anyone has any suggestions on creating a bash script with "clogin" >>> I would appreciate the feedback because I have been racking my brain >>> :-\ ?And I am by no means a linux guru so that is why I am struggling. >>> ?My goal is to back up (4) separate firewalls, (3) core switches and >>> (6) routers while making it as simple as possible. >>> >>> Thanks, >>> Carlo >>> _______________________________________________ >>> Rancid-discuss mailing list >>> Rancid-discuss at shrubbery.net >>> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss >>> >> > From jleitao at gmail.com Wed Apr 22 07:47:14 2009 From: jleitao at gmail.com (Jose Leitao) Date: Wed, 22 Apr 2009 09:47:14 +0200 Subject: [rancid] Blank spaces in password Message-ID: Hello everyone, I'm having an issue with a device that has a blank space in the password, lets say the password is "lala lala", my .cloginrc setup looks like this: add user 1.1.1.1 lala add autoenable 1.1.1.1 1 add password 1.1.1.1 {lala lala} add method 1.1.1.1 ssh If i try to clogin, it fails, with -d flag, I see this interesting bit: "@[^\r\n]+ ([Pp]assword|passwd):"? yes expect: set expect_out(0,string) "@1.1.1.1's password:" expect: set expect_out(1,string) "password" expect: set expect_out(spawn_id) "exp6" expect: set expect_out(buffer) " \r\nlala at 1.1.1.1's password:" send: sending "lalalala\r" to { exp6 } expect: continuing expect It seems its taking the password "lala lala" and changing it to "lalalala". I have tried putting the password in .cloginrc in doble/single quotes ("lala lala") and using escapes like \s or \20 but no luck. Any Ideas? I'm using Debian and the rancid version is 2.3.2~a8-4. Thanks, JL From jrivas at atentovenezuela.com.ve Wed Apr 22 14:36:19 2009 From: jrivas at atentovenezuela.com.ve (Jorge Rivas) Date: Wed, 22 Apr 2009 10:06:19 -0430 Subject: [rancid] Blank spaces in password Message-ID: <1240410979.11938.9.camel@eufrates-1301.ATENTO.COM> Try this: add user x.x.x.x bla add password x.x.x.x {bla's password} {enable_password} add method x.x.x.x telnet Note: * If enable password is something like "Gaylord Focker", then u should put this -> {Gaylord\ Focker} * The brackets have to be included in the configuration {...} graphics1 Jorge Rivas Analista de Datos Gerencia de Tecnolog?a Tel: 212-2799561 | Abreviado: *042730 Tel M?vil: 412-7368898 Correo electr?nico: jrivas at atentovenezuela.com.ve Este mensaje de correo electr?nico y sus documentos adjuntos est?n dirigidos EXCLUSIVAMENTE a los destinatarios especificados. La informaci?n contenida puede ser CONFIDENCIAL y/o estar LEGALMENTE PROTEGIDA y no necesariamente refleja la opini?n de ATENTO VENEZUELA, S.A. Si usted recibe este mensaje por ERROR, por favor comun?queselo inmediatamente al remitente y ELIM?NELO ya que usted NO ESTA AUTORIZADO al uso, revelaci?n, distribuci?n, impresi?n o copia de toda o alguna parte de la informaci?n contenida. Gracias. This e-mail message and any attached files are intended SOLELY for the addressee/s identified herein. It may contain CONFIDENTIAL and/or LEGALLY PRIVILEGED information and may not necessarily represent the opinion of ATENTO VENEZUELA, S.A. If you receive this message in ERROR, please immediately notify the sender and DELETE it since you ARE NOT AUTHORIZED to use, disclose, distribute, print or copy all or part of the contained information. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090422/1ecd84ec/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: e-firma-img1.gif Type: image/gif Size: 2634 bytes Desc: not available Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090422/1ecd84ec/attachment.gif From jrivas at atentovenezuela.com.ve Wed Apr 22 14:38:10 2009 From: jrivas at atentovenezuela.com.ve (Jorge Rivas) Date: Wed, 22 Apr 2009 10:08:10 -0430 Subject: [rancid] Blank spaces in password Message-ID: <1240411090.11938.10.camel@eufrates-1301.ATENTO.COM> Try this: add user x.x.x.x bla add password x.x.x.x {bla's password} {enable_password} add method x.x.x.x telnet Note: * If enable password is something like "Gaylord Focker", then u should put this -> {Gaylord\ Focker} * The brackets have to be included in the configuration {...} JJRP Este mensaje de correo electr?nico y sus documentos adjuntos est?n dirigidos EXCLUSIVAMENTE a los destinatarios especificados. La informaci?n contenida puede ser CONFIDENCIAL y/o estar LEGALMENTE PROTEGIDA y no necesariamente refleja la opini?n de ATENTO VENEZUELA, S.A. Si usted recibe este mensaje por ERROR, por favor comun?queselo inmediatamente al remitente y ELIM?NELO ya que usted NO ESTA AUTORIZADO al uso, revelaci?n, distribuci?n, impresi?n o copia de toda o alguna parte de la informaci?n contenida. Gracias. This e-mail message and any attached files are intended SOLELY for the addressee/s identified herein. It may contain CONFIDENTIAL and/or LEGALLY PRIVILEGED information and may not necessarily represent the opinion of ATENTO VENEZUELA, S.A. If you receive this message in ERROR, please immediately notify the sender and DELETE it since you ARE NOT AUTHORIZED to use, disclose, distribute, print or copy all or part of the contained information. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090422/b8f89750/attachment.html From carlo.finotti at gmail.com Thu Apr 23 00:29:23 2009 From: carlo.finotti at gmail.com (Carlo) Date: Wed, 22 Apr 2009 20:29:23 -0400 Subject: [rancid] Re: rancid with Cisco ASA 5520 in Multiple Context Mode In-Reply-To: References: Message-ID: <49efb524.0609c00a.36c5.ffff9244@mx.google.com> I have no issues backing up our external perimeter firewalls. When you login into an ASA running in multiple context mode you login into the "admin" context, this context does not include the other context configurations. So once you are logged into the "admin" context you run the "change" or "changeto" commands to switch between the "virtual" firewalls. Each firewall is separated and there is no global way of backing them up without running the commands listed above. The sad thing is I was able to back up everything with kiwi cat:\ login in with ssh changeto firewall1 terminal pager 0 sh run changeto firewall2 terminal pager 0 sh run changeto firewall3 terminal pager 0 sh run exit -lo -----Original Message----- From: Peter Serwe [mailto:peter.serwe at gmail.com] Sent: Wednesday, April 22, 2009 1:38 PM To: Carlo Finotti Subject: Re: [rancid] Re: rancid with Cisco ASA 5520 in Multiple Context Mode 2009/4/22 Carlo Finotti : > That sounds great! I will follow those steps listed below. > > But I'm still having issues backing up my ASA running in multiple context mode:\ > > -lo There isn't a good answer to that. I don't use my ASA's that way. What version of ASA software? Do you attempt to log into each context automatically, or how do you switch because they way I understand it is that every context has a different configuration, but there is a master context from which you can back up the entire configuration, is this incorrect? Peter -- ???? From Bob.Brunette at cdw.com Thu Apr 23 13:32:24 2009 From: Bob.Brunette at cdw.com (Bob Brunette) Date: Thu, 23 Apr 2009 08:32:24 -0500 Subject: [rancid] Re: rancid with Cisco ASA 5520 in Multiple Context Mode In-Reply-To: <49efb524.0609c00a.36c5.ffff9244@mx.google.com> References: <49efb524.0609c00a.36c5.ffff9244@mx.google.com> Message-ID: I think the problem is that when you change to a different context the system prompt string changes. rancid depends on seeing the prompt string to know when it can send the next command. The solution is to login to each context individually and back it up. Sadly, there is no way to login to the system execution space, and that's where the "master" config is that defines all of the contexts--you must get to it by issuing a "changeto system" command from the admin context. Of course this changes the system prompt string, so you have the same problem as trying to backup multiple contexts. Bob -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Carlo Sent: Wednesday, April 22, 2009 7:29 PM To: 'Peter Serwe'; rancid-discuss at shrubbery.net Subject: [rancid] Re: rancid with Cisco ASA 5520 in Multiple Context Mode I have no issues backing up our external perimeter firewalls. When you login into an ASA running in multiple context mode you login into the "admin" context, this context does not include the other context configurations. So once you are logged into the "admin" context you run the "change" or "changeto" commands to switch between the "virtual" firewalls. Each firewall is separated and there is no global way of backing them up without running the commands listed above. The sad thing is I was able to back up everything with kiwi cat:\ login in with ssh changeto firewall1 terminal pager 0 sh run changeto firewall2 terminal pager 0 sh run changeto firewall3 terminal pager 0 sh run exit -lo -----Original Message----- From: Peter Serwe [mailto:peter.serwe at gmail.com] Sent: Wednesday, April 22, 2009 1:38 PM To: Carlo Finotti Subject: Re: [rancid] Re: rancid with Cisco ASA 5520 in Multiple Context Mode 2009/4/22 Carlo Finotti : > That sounds great! I will follow those steps listed below. > > But I'm still having issues backing up my ASA running in multiple context mode:\ > > -lo There isn't a good answer to that. I don't use my ASA's that way. What version of ASA software? Do you attempt to log into each context automatically, or how do you switch because they way I understand it is that every context has a different configuration, but there is a master context from which you can back up the entire configuration, is this incorrect? Peter -- ???? _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From sam_mailinglists at spacething.org Thu Apr 23 13:54:54 2009 From: sam_mailinglists at spacething.org (Sam Stickland) Date: Thu, 23 Apr 2009 14:54:54 +0100 Subject: [rancid] Re: rancid with Cisco ASA 5520 in Multiple Context Mode In-Reply-To: References: <49efb524.0609c00a.36c5.ffff9244@mx.google.com> Message-ID: <49F0732E.3030601@spacething.org> Bob Brunette wrote: > Sadly, there is no way to login to the system execution space, and that's where the "master" config is that defines all of the contexts--you must get to it by issuing a "changeto system" command from the admin context Really? My system context just shows the context allocations, but not the context config. Is there a magic command I'm missing? Sam From Bob.Brunette at cdw.com Thu Apr 23 14:01:37 2009 From: Bob.Brunette at cdw.com (Bob Brunette) Date: Thu, 23 Apr 2009 09:01:37 -0500 Subject: [rancid] Re: rancid with Cisco ASA 5520 in Multiple Context Mode In-Reply-To: <49F0732E.3030601@spacething.org> References: <49efb524.0609c00a.36c5.ffff9244@mx.google.com> <49F0732E.3030601@spacething.org> Message-ID: Sam, you're not missing any magic command. The system context contains the physical interface configurations as well as the context configurations, which include the interface and resource allocations for each context. All of this is critical information if you need to rebuild a multi-context ASA configuration from scratch after a hardware failure, say. Bob -----Original Message----- From: Sam Stickland [mailto:sam_mailinglists at spacething.org] Sent: Thursday, April 23, 2009 8:55 AM To: Bob Brunette Cc: Carlo; 'Peter Serwe'; rancid-discuss at shrubbery.net Subject: Re: [rancid] Re: rancid with Cisco ASA 5520 in Multiple Context Mode Bob Brunette wrote: > Sadly, there is no way to login to the system execution space, and that's where the "master" config is that defines all of the contexts--you must get to it by issuing a "changeto system" command from the admin context Really? My system context just shows the context allocations, but not the context config. Is there a magic command I'm missing? Sam From meskander at perimeterwatch.com Thu Apr 23 15:19:03 2009 From: meskander at perimeterwatch.com (Mina Eskander) Date: Thu, 23 Apr 2009 11:19:03 -0400 Subject: [rancid] Re: Rancid with Fortigate Devices? In-Reply-To: <795645b20904202005g7064098ama88dd09446e7a32@mail.gmail.com> References: <20090416182401.GE25942@shrubbery.net> <20090420162509.GB21045@shrubbery.net> <20090420174551.GO21045@shrubbery.net> <795645b20904202005g7064098ama88dd09446e7a32@mail.gmail.com> Message-ID: I changed the -> in the nlogin script to ~ $ and it still does not work, here is the output I get [rancid at pwcolocacti bin]$ nlogin -d -t 90 -c"get system status;get conf" pwcolofgt100c pwcolofgt100c spawn ssh -c 3des -x -l meskander pwcolofgt100c parent: waiting for sync byte parent: telling child to go ahead parent: now unsynchronized from child spawn: returns {16963} expect: does "" (spawn_id exp6) match glob pattern "Connection refused"? no "Unknown host\r\n"? no "Host is unreachable"? no "No address associated with name"? no "Are you sure you want to continue connecting .*"? no "Host key not found .* (yes/no)?"? no "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no "Offending key for .* (yes/no)?"? no "denied"? no " ### Login failed"? no "(login:)"? no "@[^\r\n]+[Pp]assword:"? no "[Pp]assword:"? no "~ $ "? no meskander at pwcolofgt100c's password: expect: does "meskander at pwcolofgt100c's password: " (spawn_id exp6) match glob pattern "Connection refused"? no "Unknown host\r\n"? no "Host is unreachable"? no "No address associated with name"? no "Are you sure you want to continue connecting .*"? no "Host key not found .* (yes/no)?"? no "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no "Offending key for .* (yes/no)?"? no "denied"? no " ### Login failed"? no "(login:)"? no "@[^\r\n]+[Pp]assword:"? yes expect: set expect_out(0,string) "@pwcolofgt100c's password:" expect: set expect_out(spawn_id) "exp6" expect: set expect_out(buffer) "meskander at pwcolofgt100c's password:" send: sending "G0ds at v3s\r" to { exp6 } expect: continuing expect expect: does " " (spawn_id exp6) match glob pattern "Connection refused"? no "Unknown host\r\n"? no "Host is unreachable"? no "No address associated with name"? no "Are you sure you want to continue connecting .*"? no "Host key not found .* (yes/no)?"? no "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no "Offending key for .* (yes/no)?"? no "denied"? no " ### Login failed"? no "(login:)"? no "@[^\r\n]+[Pp]assword:"? no "[Pp]assword:"? no "~ $ "? no expect: does " \r\n" (spawn_id exp6) match glob pattern "Connection refused"? no "Unknown host\r\n"? no "Host is unreachable"? no "No address associated with name"? no "Are you sure you want to continue connecting .*"? no "Host key not found .* (yes/no)?"? no "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no "Offending key for .* (yes/no)?"? no "denied"? no " ### Login failed"? no "(login:)"? no "@[^\r\n]+[Pp]assword:"? no "[Pp]assword:"? no "~ $ "? no FGT100C3G0860259~ $ expect: does " \r\nFGT100C3G0860259~ $ " (spawn_id exp6) match glob pattern "Connection refused"? no "Unknown host\r\n"? no "Host is unreachable"? no "No address associated with name"? no "Are you sure you want to continue connecting .*"? no "Host key not found .* (yes/no)?"? no "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no "Offending key for .* (yes/no)?"? no "denied"? no " ### Login failed"? no "(login:)"? no "@[^\r\n]+[Pp]assword:"? no "[Pp]assword:"? no "~ $ "? yes expect: set expect_out(0,string) "~ $ " expect: set expect_out(spawn_id) "exp6" expect: set expect_out(buffer) " \r\nFGT100C3G0860259~ $ " send: sending "\r" to { exp6 } expect: does "" (spawn_id exp6) match regular expression "[\r\n]+"? no "^(.+~ $ )"? no expect: does "\r\r\n" (spawn_id exp6) match regular expression "[\r\n]+"? yes expect: set expect_out(0,string) "\r\r\n" expect: set expect_out(spawn_id) "exp6" expect: set expect_out(buffer) "\r\r\n" expect: continuing expect expect: does "" (spawn_id exp6) match regular expression "[\r\n]+"? no "^(.+~ $ )"? no FGT100C3G0860259~ $ expect: does "FGT100C3G0860259~ $ " (spawn_id exp6) match regular expression "[\r\n]+"? no "^(.+~ $ )"? no expect: timed out Error: TIMEOUT reached write() failed to write anything - will sleep(1) and retry... [rancid at pwcolocacti bin]$ From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Jeff Moorse Sent: Monday, April 20, 2009 11:06 PM To: rancid-discuss at shrubbery.net Subject: [rancid] Re: Rancid with Fortigate Devices? Anyone know what the correct syntax for the expect script would be to match prompt (assuming the string of #'s following FGT is variable)? I have experienced similar problems Thanks On Mon, Apr 20, 2009 at 10:45 AM, john heasley > wrote: yep, your prompt is nFGT100C3G0860259~ $ but the script expects -> _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss -- -- Jeff Moorse -- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090423/e3323493/attachment.html From Graeme.Danielson at airnz.co.nz Thu Apr 23 23:32:23 2009 From: Graeme.Danielson at airnz.co.nz (Danielson, Graeme) Date: Fri, 24 Apr 2009 11:32:23 +1200 Subject: [rancid] Re: rancid with Cisco ASA 5520 in Multiple Context Mode In-Reply-To: References: <49efb524.0609c00a.36c5.ffff9244@mx.google.com><49F0732E.3030601@spacething.org> Message-ID: <14D53AD54F557A46A13248ABC37055CE04246866@AKLEX020.corp.ad.airnz.co.nz> I think the context configs are stored in the flash: of system and from memory are displayable with more(?). Remember though that they are the startup configs not the running configs. So if you are confident that all your contexts are saved then potentially all necessary config info is available from system? -- Graeme Danielson -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Bob Brunette Sent: Friday, 24 April 2009 2:02 a.m. To: Sam Stickland Cc: Carlo; rancid-discuss at shrubbery.net Subject: [rancid] Re: rancid with Cisco ASA 5520 in Multiple Context Mode Sam, you're not missing any magic command. The system context contains the physical interface configurations as well as the context configurations, which include the interface and resource allocations for each context. All of this is critical information if you need to rebuild a multi-context ASA configuration from scratch after a hardware failure, say. Bob -----Original Message----- From: Sam Stickland [mailto:sam_mailinglists at spacething.org] Sent: Thursday, April 23, 2009 8:55 AM To: Bob Brunette Cc: Carlo; 'Peter Serwe'; rancid-discuss at shrubbery.net Subject: Re: [rancid] Re: rancid with Cisco ASA 5520 in Multiple Context Mode Bob Brunette wrote: > Sadly, there is no way to login to the system execution space, and that's where the "master" config is that defines all of the contexts--you must get to it by issuing a "changeto system" command from the admin context Really? My system context just shows the context allocations, but not the context config. Is there a magic command I'm missing? Sam _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss Good planets are hard to find - please think of the environment before you print this email. ____________________________________________________________________ CAUTION - This message may contain privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that any use, dissemination, distribution or reproduction of this message is prohibited. If you have received this message in error please notify Air New Zealand immediately. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Air New Zealand. _____________________________________________________________________ For more information on the Air New Zealand Group, visit us online at http://www.airnewzealand.com _____________________________________________________________________ From ronnij at gmail.com Fri Apr 24 10:05:52 2009 From: ronnij at gmail.com (Ronni Jensen) Date: Fri, 24 Apr 2009 12:05:52 +0200 Subject: [rancid] Login works, config fetch doesn't Message-ID: <7a76d30f0904240305h4959d849l87f682beee746b4@mail.gmail.com> Hello, I have a rancid installation which generally works fine for a lot of groups and routers etc. But on some nodes I have problems collecting configurations. For example, for this Cisco MDS 9140 switch I have the following in .cloginrc file: add method my-switch-name {telnet} add autoenable my-switch-name 0 add user my-switch-name admin add password my-switch-name password password When I test login with "/usr/local/rancid/bin/clogin my-switch-name" it works fine. However, if I do "/usr/local/rancid/bin/clogin -c 'sh run' my-switch-name" I can see that login works, but it does not collect running-config and after a little while I get a "Error: TIMEOUT reached" error. The same error occours when using "/usr/local/rancid/bin/rancid-run my-switches". Can anyone help me solve this issue? Thank you very much :-) /Cope -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090424/cf8267b3/attachment.html From tylerh at bandcon.com Fri Apr 24 23:01:21 2009 From: tylerh at bandcon.com (Tyler Hall) Date: Fri, 24 Apr 2009 16:01:21 -0700 Subject: [rancid] Issues while running clogin with 6500 Message-ID: <67B864FDA9789F4FA1A854AFD6A1F3C80CB82F2640@devo> We have a 6500 and when we try to run rancid-run, it errors out with the following: Getting missed routers: round 4. write(spawn_id=1): broken pipe while executing "send_user -- "$expect_out(buffer)"" invoked from within "expect -nobrace -re+ { exp_continue } -re {^[^ *]*bbr1.phx1([^#>\r\n]+)?[#>](\([^)\r\n]+\))?} { send_user -- "$expect_out(buffer)" } -re {^[..." invoked from within "expect { -re "\b+" { exp_continue } -re "^\[^\n\r *]*$reprompt" { send_user -- "$expect_out(buffer)" } -re "^\[^\n\r]*$reprom..." (procedure "run_commands" line 41) invoked from within "run_commands $prompt $command" ("foreach" body line 152) invoked from within "foreach router [lrange $argv $i end] { set router [string tolower $router] # attempt at platform switching. set platform "" send_user ..." (file "/usr/local/rancid/bin/clogin" line 715) bbr1.phx1.: missed cmd(s): admin show diag,dir /all slavedisk2:,dir /all sec-slot2:,show diag,dir /all disk1:,dir /all sec-nvram:,dir /all disk2:,dir /all sec-bootflash:,show spe version,dir /all slaveslot2:,dir /all disk0:,dir /all slaveslot0:,dir /all sec-slot1:,dir /all harddiska:,dir /all slavenvram:,dir /all sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all harddiskb:,show inventory raw,dir /all slavedisk1:,show module,show controllers,show diagbus,more system:running-config,dir /all slavedisk0:,show debug,dir /all bootflash:,dir /all sec-slot0:,dir /all sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all slot2:,dir /all harddisk:,dir /all slot0:,dir /all sup-microcode:,show vlan,dir /all slavebootflash:,show controllers cbus,dir /all slaveslot1:,show vlan-switch,show running-config,show c7200,dir /all slot1: bbr1.phx1.: End of run not found When we manually run "clogin -c "sh run" router, it just dies in the middle of the interfaces. Any help you can provide would be great. -thall -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090424/be0e3fc7/attachment.html From froztbyte at froztbyte.net Tue Apr 28 08:46:13 2009 From: froztbyte at froztbyte.net (JP Viljoen) Date: Tue, 28 Apr 2009 10:46:13 +0200 Subject: [rancid] Re: Timeouts on Cisco ASA In-Reply-To: <20090421145507.GF3772@shrubbery.net> References: <200904211122.28498.froztbyte@froztbyte.net> <200904211502.10961.froztbyte@froztbyte.net> <20090421145507.GF3772@shrubbery.net> Message-ID: <200904281046.13806.froztbyte@froztbyte.net> On Tuesday 21 April 2009 16:55:07 john heasley wrote: > you havent included enough of the output. Here's the full debug output for a normal run and then for a run with noenable: The clogin snippet: rancid at mon:~/rancid/bin$ grep 10.1.2.1 /home/rancid/.cloginrc add user 10.1.2.1 {user} add password 10.1.2.1 {loginpass} {enablepass} add method 10.1.2.1 ssh add enableprompt 10.1.2.1 {"\[Pp]assword:"} add autoenable 10.1.2.1 {0} A manual clogin run: rancid at mon:~/rancid/bin$ ./clogin -t 10 10.1.2.1 10.1.2.1 spawn ssh -c 3des -x -l user 10.1.2.1 user at 10.1.2.1's password: Type help or '?' for a list of available commands. ciscoasa> Error: TIMEOUT reached A run with full debug: rancid at mon:~/rancid/bin$ ./clogin -t 10 -d 10.1.2.1 10.1.2.1 spawn ssh -c 3des -x -l user 10.1.2.1 parent: waiting for sync byte parent: telling child to go ahead parent: now unsynchronized from child spawn: returns {26050} expect: does "" (spawn_id exp6) match regular expression "(Connection refused| Secure connection [^\n\r]+ refused)"? no "(Connection closed by|Connection to [^\n\r]+ closed)"? no expect: does "" (spawn_id exp6) match glob pattern "unknown host\r"? no expect: does "" (spawn_id exp6) match glob pattern "Host is unreachable"? no "No address associated with name"? no "(Host key not found |The authenticity of host .* be established).*(yes/no)?"? no "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no "Offending key for .* (yes/no)?"? no "(denied|Sorry)"? no "Login failed"? no "% (Bad passwords|Authentication failed)"? no "Press any key to continue"? no "Enter Selection: "? no "Last login:"? no "@[^\r\n]+ ([Pp]assword|passwd):"? no "(Username|Login|login|user name|User):"? no "([Pp]assword|passwd):"? no "(#| \(enable\))"? no "Login invalid"? no user at 10.1.2.1's password: expect: does "user at 10.1.2.1's password: " (spawn_id exp6) match regular expression "(Connection refused|Secure connection [^\n\r]+ refused)"? no "(Connection closed by|Connection to [^\n\r]+ closed)"? no expect: does "user at 10.1.2.1's password: " (spawn_id exp6) match glob pattern "unknown host\r"? no expect: does "user at 10.1.2.1's password: " (spawn_id exp6) match glob pattern "Host is unreachable"? no "No address associated with name"? no "(Host key not found |The authenticity of host .* be established).*(yes/no)?"? no "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no "Offending key for .* (yes/no)?"? no "(denied|Sorry)"? no "Login failed"? no "% (Bad passwords|Authentication failed)"? no "Press any key to continue"? no "Enter Selection: "? no "Last login:"? no "@[^\r\n]+ ([Pp]assword|passwd):"? yes expect: set expect_out(0,string) "@10.1.2.1's password:" expect: set expect_out(1,string) "password" expect: set expect_out(spawn_id) "exp6" expect: set expect_out(buffer) "user at 10.1.2.1's password:" send: sending "loginpass\r" to { exp6 } expect: continuing expect expect: does " " (spawn_id exp6) match regular expression "(Connection refused|Secure connection [^\n\r]+ refused)"? no "(Connection closed by|Connection to [^\n\r]+ closed)"? no expect: does " " (spawn_id exp6) match glob pattern "unknown host\r"? no expect: does " " (spawn_id exp6) match glob pattern "Host is unreachable"? no "No address associated with name"? no "(Host key not found |The authenticity of host .* be established).*(yes/no)?"? no "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no "Offending key for .* (yes/no)?"? no "(denied|Sorry)"? no "Login failed"? no "% (Bad passwords|Authentication failed)"? no "Press any key to continue"? no "Enter Selection: "? no "Last login:"? no "@[^\r\n]+ ([Pp]assword|passwd):"? no "(Username|Login|login|user name|User):"? no "([Pp]assword|passwd):"? no "(#| \(enable\))"? no "Login invalid"? no expect: does " \r\n" (spawn_id exp6) match regular expression "(Connection refused|Secure connection [^\n\r]+ refused)"? no "(Connection closed by|Connection to [^\n\r]+ closed)"? no expect: does " \r\n" (spawn_id exp6) match glob pattern "unknown host\r"? no expect: does " \r\n" (spawn_id exp6) match glob pattern "Host is unreachable"? no "No address associated with name"? no "(Host key not found |The authenticity of host .* be established).*(yes/no)?"? no "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no "Offending key for .* (yes/no)?"? no "(denied|Sorry)"? no "Login failed"? no "% (Bad passwords|Authentication failed)"? no "Press any key to continue"? no "Enter Selection: "? no "Last login:"? no "@[^\r\n]+ ([Pp]assword|passwd):"? no "(Username|Login|login|user name|User):"? no "([Pp]assword|passwd):"? no "(#| \(enable\))"? no "Login invalid"? no Type help or '?' for a list of available commands. expect: does " \r\nType help or '?' for a list of available commands.\r\n" (spawn_id exp6) match regular expression "(Connection refused|Secure connection [^\n\r]+ refused)"? no "(Connection closed by|Connection to [^\n\r]+ closed)"? no expect: does " \r\nType help or '?' for a list of available commands.\r\n" (spawn_id exp6) match glob pattern "unknown host\r"? no expect: does " \r\nType help or '?' for a list of available commands.\r\n" (spawn_id exp6) match glob pattern "Host is unreachable"? no "No address associated with name"? no "(Host key not found |The authenticity of host .* be established).*(yes/no)?"? no "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no "Offending key for .* (yes/no)?"? no "(denied|Sorry)"? no "Login failed"? no "% (Bad passwords|Authentication failed)"? no "Press any key to continue"? no "Enter Selection: "? no "Last login:"? no "@[^\r\n]+ ([Pp]assword|passwd):"? no "(Username|Login|login|user name|User):"? no "([Pp]assword|passwd):"? no "(#| \(enable\))"? no "Login invalid"? no ciscoasa> expect: does " \r\nType help or '?' for a list of available commands. \r\n\rciscoasa> " (spawn_id exp6) match regular expression "(Connection refused|Secure connection [^\n\r]+ refused)"? no "(Connection closed by|Connection to [^\n\r]+ closed)"? no expect: does " \r\nType help or '?' for a list of available commands. \r\n\rciscoasa> " (spawn_id exp6) match glob pattern "unknown host\r"? no expect: does " \r\nType help or '?' for a list of available commands. \r\n\rciscoasa> " (spawn_id exp6) match glob pattern "Host is unreachable"? no "No address associated with name"? no "(Host key not found |The authenticity of host .* be established).*(yes/no)?"? no "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no "Offending key for .* (yes/no)?"? no "(denied|Sorry)"? no "Login failed"? no "% (Bad passwords|Authentication failed)"? no "Press any key to continue"? no "Enter Selection: "? no "Last login:"? no "@[^\r\n]+ ([Pp]assword|passwd):"? no "(Username|Login|login|user name|User):"? no "([Pp]assword|passwd):"? no "(#| \(enable\))"? no "Login invalid"? no expect: timed out Error: TIMEOUT reached write() failed to write anything - will sleep(1) and retry... noenable run: rancid at mon:~/rancid/bin$ ./clogin -t 10 -d -noenable 10.1.2.1 10.1.2.1 spawn ssh -c 3des -x -l user 10.1.2.1 parent: waiting for sync byte parent: telling child to go ahead parent: now unsynchronized from child spawn: returns {26441} expect: does "" (spawn_id exp6) match regular expression "(Connection refused| Secure connection [^\n\r]+ refused)"? no "(Connection closed by|Connection to [^\n\r]+ closed)"? no expect: does "" (spawn_id exp6) match glob pattern "unknown host\r"? no expect: does "" (spawn_id exp6) match glob pattern "Host is unreachable"? no "No address associated with name"? no "(Host key not found |The authenticity of host .* be established).*(yes/no)?"? no "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no "Offending key for .* (yes/no)?"? no "(denied|Sorry)"? no "Login failed"? no "% (Bad passwords|Authentication failed)"? no "Press any key to continue"? no "Enter Selection: "? no "Last login:"? no "@[^\r\n]+ ([Pp]assword|passwd):"? no "(Username|Login|login|user name|User):"? no "([Pp]assword|passwd):"? no "(#| \(enable\))"? no "Login invalid"? no user at 10.1.2.1's password: expect: does "user at 10.1.2.1's password: " (spawn_id exp6) match regular expression "(Connection refused|Secure connection [^\n\r]+ refused)"? no "(Connection closed by|Connection to [^\n\r]+ closed)"? no expect: does "user at 10.1.2.1's password: " (spawn_id exp6) match glob pattern "unknown host\r"? no expect: does "user at 10.1.2.1's password: " (spawn_id exp6) match glob pattern "Host is unreachable"? no "No address associated with name"? no "(Host key not found |The authenticity of host .* be established).*(yes/no)?"? no "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no "Offending key for .* (yes/no)?"? no "(denied|Sorry)"? no "Login failed"? no "% (Bad passwords|Authentication failed)"? no "Press any key to continue"? no "Enter Selection: "? no "Last login:"? no "@[^\r\n]+ ([Pp]assword|passwd):"? yes expect: set expect_out(0,string) "@10.1.2.1's password:" expect: set expect_out(1,string) "password" expect: set expect_out(spawn_id) "exp6" expect: set expect_out(buffer) "user at 10.1.2.1's password:" send: sending "loginpass\r" to { exp6 } expect: continuing expect expect: does " " (spawn_id exp6) match regular expression "(Connection refused|Secure connection [^\n\r]+ refused)"? no "(Connection closed by|Connection to [^\n\r]+ closed)"? no expect: does " " (spawn_id exp6) match glob pattern "unknown host\r"? no expect: does " " (spawn_id exp6) match glob pattern "Host is unreachable"? no "No address associated with name"? no "(Host key not found |The authenticity of host .* be established).*(yes/no)?"? no "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no "Offending key for .* (yes/no)?"? no "(denied|Sorry)"? no "Login failed"? no "% (Bad passwords|Authentication failed)"? no "Press any key to continue"? no "Enter Selection: "? no "Last login:"? no "@[^\r\n]+ ([Pp]assword|passwd):"? no "(Username|Login|login|user name|User):"? no "([Pp]assword|passwd):"? no "(#| \(enable\))"? no "Login invalid"? no expect: does " \r\n" (spawn_id exp6) match regular expression "(Connection refused|Secure connection [^\n\r]+ refused)"? no "(Connection closed by|Connection to [^\n\r]+ closed)"? no expect: does " \r\n" (spawn_id exp6) match glob pattern "unknown host\r"? no expect: does " \r\n" (spawn_id exp6) match glob pattern "Host is unreachable"? no "No address associated with name"? no "(Host key not found |The authenticity of host .* be established).*(yes/no)?"? no "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no "Offending key for .* (yes/no)?"? no "(denied|Sorry)"? no "Login failed"? no "% (Bad passwords|Authentication failed)"? no "Press any key to continue"? no "Enter Selection: "? no "Last login:"? no "@[^\r\n]+ ([Pp]assword|passwd):"? no "(Username|Login|login|user name|User):"? no "([Pp]assword|passwd):"? no "(#| \(enable\))"? no "Login invalid"? no Type help or '?' for a list of available commands. expect: does " \r\nType help or '?' for a list of available commands.\r\n" (spawn_id exp6) match regular expression "(Connection refused|Secure connection [^\n\r]+ refused)"? no "(Connection closed by|Connection to [^\n\r]+ closed)"? no expect: does " \r\nType help or '?' for a list of available commands.\r\n" (spawn_id exp6) match glob pattern "unknown host\r"? no expect: does " \r\nType help or '?' for a list of available commands.\r\n" (spawn_id exp6) match glob pattern "Host is unreachable"? no "No address associated with name"? no "(Host key not found |The authenticity of host .* be established).*(yes/no)?"? no "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no "Offending key for .* (yes/no)?"? no "(denied|Sorry)"? no "Login failed"? no "% (Bad passwords|Authentication failed)"? no "Press any key to continue"? no "Enter Selection: "? no "Last login:"? no "@[^\r\n]+ ([Pp]assword|passwd):"? no "(Username|Login|login|user name|User):"? no "([Pp]assword|passwd):"? no "(#| \(enable\))"? no "Login invalid"? no ciscoasa> expect: does " \r\nType help or '?' for a list of available commands. \r\n\rciscoasa> " (spawn_id exp6) match regular expression "(Connection refused|Secure connection [^\n\r]+ refused)"? no "(Connection closed by|Connection to [^\n\r]+ closed)"? no expect: does " \r\nType help or '?' for a list of available commands. \r\n\rciscoasa> " (spawn_id exp6) match glob pattern "unknown host\r"? no expect: does " \r\nType help or '?' for a list of available commands. \r\n\rciscoasa> " (spawn_id exp6) match glob pattern "Host is unreachable"? no "No address associated with name"? no "(Host key not found |The authenticity of host .* be established).*(yes/no)?"? no "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no "Offending key for .* (yes/no)?"? no "(denied|Sorry)"? no "Login failed"? no "% (Bad passwords|Authentication failed)"? no "Press any key to continue"? no "Enter Selection: "? no "Last login:"? no "@[^\r\n]+ ([Pp]assword|passwd):"? no "(Username|Login|login|user name|User):"? no "([Pp]assword|passwd):"? no "(#| \(enable\))"? no "Login invalid"? no expect: timed out Error: TIMEOUT reached write() failed to write anything - will sleep(1) and retry... From opi045 at yahoo.com Tue Apr 28 09:23:32 2009 From: opi045 at yahoo.com (adnan shahid) Date: Tue, 28 Apr 2009 02:23:32 -0700 (PDT) Subject: [rancid] Mail Diff Configuration Message-ID: <600794.89920.qm@web52401.mail.re2.yahoo.com> ?Hi, ?I am a new user of rancid. I configure rancid? with the way the tutorial said. But I am not able to get the mail diff? when the configuration changes. Can anybody help me how can I configure ?mail diff or share any detailed document on this mail diff? configuration. ? FYI, I am using following, Rancid Version - rancid-2.3.2a2.tar.gz Red Hat Version - redhat enterprise linux4 Thanks in advance, Adnan Get your new Email address! Grab the Email name you've always wanted before someone else does! http://mail.promotions.yahoo.com/newdomains/aa/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090428/4eb17151/attachment.html From heas at shrubbery.net Tue Apr 28 18:13:58 2009 From: heas at shrubbery.net (john heasley) Date: Tue, 28 Apr 2009 11:13:58 -0700 Subject: [rancid] Re: Issues while running clogin with 6500 In-Reply-To: <67B864FDA9789F4FA1A854AFD6A1F3C80CB82F2640@devo> References: <67B864FDA9789F4FA1A854AFD6A1F3C80CB82F2640@devo> Message-ID: <20090428181358.GI13146@shrubbery.net> Fri, Apr 24, 2009 at 04:01:21PM -0700, Tyler Hall: > We have a 6500 and when we try to run rancid-run, it errors out with the following: either telnet/ssh exited prematured or the device abrupted terminated the connection. You'll have to try these commands manually and/or with 'clogin -d' to determine which. also, expect back-traces list this should be eliminated in more recent code, included in rancid 2.3.2. > Getting missed routers: round 4. > write(spawn_id=1): broken pipe > while executing > "send_user -- "$expect_out(buffer)"" > invoked from within > "expect -nobrace -re+ { exp_continue } -re {^[^ > *]*bbr1.phx1([^#>\r\n]+)?[#>](\([^)\r\n]+\))?} { send_user -- "$expect_out(buffer)" > } -re {^[..." > invoked from within > "expect { > -re "\b+" { exp_continue } > -re "^\[^\n\r *]*$reprompt" { send_user -- "$expect_out(buffer)" > } > -re "^\[^\n\r]*$reprom..." > (procedure "run_commands" line 41) > invoked from within > "run_commands $prompt $command" > ("foreach" body line 152) > invoked from within > "foreach router [lrange $argv $i end] { > set router [string tolower $router] > # attempt at platform switching. > set platform "" > send_user ..." > (file "/usr/local/rancid/bin/clogin" line 715) > bbr1.phx1.: missed cmd(s): admin show diag,dir /all slavedisk2:,dir /all sec-slot2:,show diag,dir /all disk1:,dir /all sec-nvram:,dir /all disk2:,dir /all sec-bootflash:,show spe version,dir /all slaveslot2:,dir /all disk0:,dir /all slaveslot0:,dir /all sec-slot1:,dir /all harddiska:,dir /all slavenvram:,dir /all sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all harddiskb:,show inventory raw,dir /all slavedisk1:,show module,show controllers,show diagbus,more system:running-config,dir /all slavedisk0:,show debug,dir /all bootflash:,dir /all sec-slot0:,dir /all sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all slot2:,dir /all harddisk:,dir /all slot0:,dir /all sup-microcode:,show vlan,dir /all slavebootflash:,show controllers cbus,dir /all slaveslot1:,show vlan-switch,show running-config,show c7200,dir /all slot1: > bbr1.phx1.: End of run not found > > > When we manually run "clogin -c "sh run" router, it just dies in the middle of the interfaces. > > Any help you can provide would be great. > > -thall > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From heas at shrubbery.net Tue Apr 28 19:04:00 2009 From: heas at shrubbery.net (john heasley) Date: Tue, 28 Apr 2009 12:04:00 -0700 Subject: [rancid] Re: Rancid with Fortigate Devices? In-Reply-To: References: <20090416182401.GE25942@shrubbery.net> <20090420162509.GB21045@shrubbery.net> <20090420174551.GO21045@shrubbery.net> <795645b20904202005g7064098ama88dd09446e7a32@mail.gmail.com> Message-ID: <20090428190400.GR13146@shrubbery.net> Thu, Apr 23, 2009 at 11:19:03AM -0400, Mina Eskander: > I changed the -> in the nlogin script to ~ $ and it still does not work, here is the output I get Would someone who knows the fortigate well please confirm the prompt format? I was told '-> ', but reading through the manual that I found online, it seems that the prompt is '$ ' and gives no indication that it changes with elevated permissions. But, the manual for their CLI seems poorly written. > [rancid at pwcolocacti bin]$ nlogin -d -t 90 -c"get system status;get conf" pwcolofgt100c > pwcolofgt100c > spawn ssh -c 3des -x -l meskander pwcolofgt100c > parent: waiting for sync byte > parent: telling child to go ahead > parent: now unsynchronized from child > spawn: returns {16963} > > expect: does "" (spawn_id exp6) match glob pattern "Connection refused"? no > "Unknown host\r\n"? no > "Host is unreachable"? no > "No address associated with name"? no > "Are you sure you want to continue connecting .*"? no > "Host key not found .* (yes/no)?"? no > "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no > "Offending key for .* (yes/no)?"? no > "denied"? no > " ### Login failed"? no > "(login:)"? no > "@[^\r\n]+[Pp]assword:"? no > "[Pp]assword:"? no > "~ $ "? no > meskander at pwcolofgt100c's password: > expect: does "meskander at pwcolofgt100c's password: " (spawn_id exp6) match glob pattern "Connection refused"? no > "Unknown host\r\n"? no > "Host is unreachable"? no > "No address associated with name"? no > "Are you sure you want to continue connecting .*"? no > "Host key not found .* (yes/no)?"? no > "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no > "Offending key for .* (yes/no)?"? no > "denied"? no > " ### Login failed"? no > "(login:)"? no > "@[^\r\n]+[Pp]assword:"? yes > expect: set expect_out(0,string) "@pwcolofgt100c's password:" > expect: set expect_out(spawn_id) "exp6" > expect: set expect_out(buffer) "meskander at pwcolofgt100c's password:" > send: sending "G0ds at v3s\r" to { exp6 } > expect: continuing expect > > expect: does " " (spawn_id exp6) match glob pattern "Connection refused"? no > "Unknown host\r\n"? no > "Host is unreachable"? no > "No address associated with name"? no > "Are you sure you want to continue connecting .*"? no > "Host key not found .* (yes/no)?"? no > "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no > "Offending key for .* (yes/no)?"? no > "denied"? no > " ### Login failed"? no > "(login:)"? no > "@[^\r\n]+[Pp]assword:"? no > "[Pp]assword:"? no > "~ $ "? no > > > expect: does " \r\n" (spawn_id exp6) match glob pattern "Connection refused"? no > "Unknown host\r\n"? no > "Host is unreachable"? no > "No address associated with name"? no > "Are you sure you want to continue connecting .*"? no > "Host key not found .* (yes/no)?"? no > "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no > "Offending key for .* (yes/no)?"? no > "denied"? no > " ### Login failed"? no > "(login:)"? no > "@[^\r\n]+[Pp]assword:"? no > "[Pp]assword:"? no > "~ $ "? no > FGT100C3G0860259~ $ > expect: does " \r\nFGT100C3G0860259~ $ " (spawn_id exp6) match glob pattern "Connection refused"? no > "Unknown host\r\n"? no > "Host is unreachable"? no > "No address associated with name"? no > "Are you sure you want to continue connecting .*"? no > "Host key not found .* (yes/no)?"? no > "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no > "Offending key for .* (yes/no)?"? no > "denied"? no > " ### Login failed"? no > "(login:)"? no > "@[^\r\n]+[Pp]assword:"? no > "[Pp]assword:"? no > "~ $ "? yes > expect: set expect_out(0,string) "~ $ " > expect: set expect_out(spawn_id) "exp6" > expect: set expect_out(buffer) " \r\nFGT100C3G0860259~ $ " > send: sending "\r" to { exp6 } > > expect: does "" (spawn_id exp6) match regular expression "[\r\n]+"? no > "^(.+~ $ )"? no > > > expect: does "\r\r\n" (spawn_id exp6) match regular expression "[\r\n]+"? yes > expect: set expect_out(0,string) "\r\r\n" > expect: set expect_out(spawn_id) "exp6" > expect: set expect_out(buffer) "\r\r\n" > expect: continuing expect > > expect: does "" (spawn_id exp6) match regular expression "[\r\n]+"? no > "^(.+~ $ )"? no > FGT100C3G0860259~ $ > expect: does "FGT100C3G0860259~ $ " (spawn_id exp6) match regular expression "[\r\n]+"? no > "^(.+~ $ )"? no > expect: timed out > > Error: TIMEOUT reached > write() failed to write anything - will sleep(1) and retry... > [rancid at pwcolocacti bin]$ > > From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Jeff Moorse > Sent: Monday, April 20, 2009 11:06 PM > To: rancid-discuss at shrubbery.net > Subject: [rancid] Re: Rancid with Fortigate Devices? > > Anyone know what the correct syntax for the expect script would be to match prompt (assuming the string of #'s following FGT is variable)? > > I have experienced similar problems > > Thanks > On Mon, Apr 20, 2009 at 10:45 AM, john heasley > wrote: > yep, your prompt is nFGT100C3G0860259~ $ > but the script expects -> > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > -- > -- Jeff Moorse -- > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From jmoorse at gmail.com Tue Apr 28 19:07:42 2009 From: jmoorse at gmail.com (Jeff Moorse) Date: Tue, 28 Apr 2009 12:07:42 -0700 Subject: [rancid] Re: Rancid with Fortigate Devices? In-Reply-To: <20090428190400.GR13146@shrubbery.net> References: <20090416182401.GE25942@shrubbery.net> <20090420162509.GB21045@shrubbery.net> <20090420174551.GO21045@shrubbery.net> <795645b20904202005g7064098ama88dd09446e7a32@mail.gmail.com> <20090428190400.GR13146@shrubbery.net> Message-ID: <795645b20904281207q6c0c9c99w76172abde5b8a725@mail.gmail.com> For an admin account the prompt is (sans quotes): "FGT[model][s/n] # " Please note the trailing space For a read only account it is the same but with a $ instead of a # -Jeff Moorse On Tue, Apr 28, 2009 at 12:04 PM, john heasley wrote: > Thu, Apr 23, 2009 at 11:19:03AM -0400, Mina Eskander: > > I changed the -> in the nlogin script to ~ $ and it still does not work, > here is the output I get > > Would someone who knows the fortigate well please confirm the prompt > format? > I was told '-> ', but reading through the manual that I found online, it > seems that the prompt is '$ ' and gives no indication that it changes with > elevated permissions. But, the manual for their CLI seems poorly written. > > > [rancid at pwcolocacti bin]$ nlogin -d -t 90 -c"get system status;get conf" > pwcolofgt100c > > pwcolofgt100c > > spawn ssh -c 3des -x -l meskander pwcolofgt100c > > parent: waiting for sync byte > > parent: telling child to go ahead > > parent: now unsynchronized from child > > spawn: returns {16963} > > > > expect: does "" (spawn_id exp6) match glob pattern "Connection refused"? > no > > "Unknown host\r\n"? no > > "Host is unreachable"? no > > "No address associated with name"? no > > "Are you sure you want to continue connecting .*"? no > > "Host key not found .* (yes/no)?"? no > > "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no > > "Offending key for .* (yes/no)?"? no > > "denied"? no > > " ### Login failed"? no > > "(login:)"? no > > "@[^\r\n]+[Pp]assword:"? no > > "[Pp]assword:"? no > > "~ $ "? no > > meskander at pwcolofgt100c's password: > > expect: does "meskander at pwcolofgt100c's password: " (spawn_id exp6) > match glob pattern "Connection refused"? no > > "Unknown host\r\n"? no > > "Host is unreachable"? no > > "No address associated with name"? no > > "Are you sure you want to continue connecting .*"? no > > "Host key not found .* (yes/no)?"? no > > "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no > > "Offending key for .* (yes/no)?"? no > > "denied"? no > > " ### Login failed"? no > > "(login:)"? no > > "@[^\r\n]+[Pp]assword:"? yes > > expect: set expect_out(0,string) "@pwcolofgt100c's password:" > > expect: set expect_out(spawn_id) "exp6" > > expect: set expect_out(buffer) "meskander at pwcolofgt100c's password:" > > send: sending "G0ds at v3s\r" to { exp6 } > > expect: continuing expect > > > > expect: does " " (spawn_id exp6) match glob pattern "Connection refused"? > no > > "Unknown host\r\n"? no > > "Host is unreachable"? no > > "No address associated with name"? no > > "Are you sure you want to continue connecting .*"? no > > "Host key not found .* (yes/no)?"? no > > "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no > > "Offending key for .* (yes/no)?"? no > > "denied"? no > > " ### Login failed"? no > > "(login:)"? no > > "@[^\r\n]+[Pp]assword:"? no > > "[Pp]assword:"? no > > "~ $ "? no > > > > > > expect: does " \r\n" (spawn_id exp6) match glob pattern "Connection > refused"? no > > "Unknown host\r\n"? no > > "Host is unreachable"? no > > "No address associated with name"? no > > "Are you sure you want to continue connecting .*"? no > > "Host key not found .* (yes/no)?"? no > > "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no > > "Offending key for .* (yes/no)?"? no > > "denied"? no > > " ### Login failed"? no > > "(login:)"? no > > "@[^\r\n]+[Pp]assword:"? no > > "[Pp]assword:"? no > > "~ $ "? no > > FGT100C3G0860259~ $ > > expect: does " \r\nFGT100C3G0860259~ $ " (spawn_id exp6) match glob > pattern "Connection refused"? no > > "Unknown host\r\n"? no > > "Host is unreachable"? no > > "No address associated with name"? no > > "Are you sure you want to continue connecting .*"? no > > "Host key not found .* (yes/no)?"? no > > "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no > > "Offending key for .* (yes/no)?"? no > > "denied"? no > > " ### Login failed"? no > > "(login:)"? no > > "@[^\r\n]+[Pp]assword:"? no > > "[Pp]assword:"? no > > "~ $ "? yes > > expect: set expect_out(0,string) "~ $ " > > expect: set expect_out(spawn_id) "exp6" > > expect: set expect_out(buffer) " \r\nFGT100C3G0860259~ $ " > > send: sending "\r" to { exp6 } > > > > expect: does "" (spawn_id exp6) match regular expression "[\r\n]+"? no > > "^(.+~ $ )"? no > > > > > > expect: does "\r\r\n" (spawn_id exp6) match regular expression "[\r\n]+"? > yes > > expect: set expect_out(0,string) "\r\r\n" > > expect: set expect_out(spawn_id) "exp6" > > expect: set expect_out(buffer) "\r\r\n" > > expect: continuing expect > > > > expect: does "" (spawn_id exp6) match regular expression "[\r\n]+"? no > > "^(.+~ $ )"? no > > FGT100C3G0860259~ $ > > expect: does "FGT100C3G0860259~ $ " (spawn_id exp6) match regular > expression "[\r\n]+"? no > > "^(.+~ $ )"? no > > expect: timed out > > > > Error: TIMEOUT reached > > write() failed to write anything - will sleep(1) and retry... > > [rancid at pwcolocacti bin]$ > > > > From: rancid-discuss-bounces at shrubbery.net [mailto: > rancid-discuss-bounces at shrubbery.net] On Behalf Of Jeff Moorse > > Sent: Monday, April 20, 2009 11:06 PM > > To: rancid-discuss at shrubbery.net > > Subject: [rancid] Re: Rancid with Fortigate Devices? > > > > Anyone know what the correct syntax for the expect script would be to > match prompt (assuming the string of #'s following FGT is variable)? > > > > I have experienced similar problems > > > > Thanks > > On Mon, Apr 20, 2009 at 10:45 AM, john heasley > wrote: > > yep, your prompt is nFGT100C3G0860259~ $ > > but the script expects -> > > > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > > > > > -- > > -- Jeff Moorse -- > > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > -- -- Jeff Moorse -- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090428/fde1427b/attachment.html From froztbyte at froztbyte.net Wed Apr 29 09:19:17 2009 From: froztbyte at froztbyte.net (JP Viljoen) Date: Wed, 29 Apr 2009 11:19:17 +0200 Subject: [rancid] Re: Timeouts on Cisco ASA In-Reply-To: <20090428155609.GA13146@shrubbery.net> References: <200904211122.28498.froztbyte@froztbyte.net> <200904281046.13806.froztbyte@froztbyte.net> <20090428155609.GA13146@shrubbery.net> Message-ID: <200904291119.18052.froztbyte@froztbyte.net> On Tuesday 28 April 2009 17:56:09 you wrote: > you have something earlier in your cloginrc thats setting autoenable. I went through it all line-by-line and it turns out that I didn't see the line in the area where hosts were specified under domain names, and this is where the global auto-enable was. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090429/cb96e336/attachment.html From opi045 at yahoo.com Wed Apr 29 10:53:52 2009 From: opi045 at yahoo.com (adnan shahid) Date: Wed, 29 Apr 2009 03:53:52 -0700 (PDT) Subject: [rancid] Mail of diff not coming Message-ID: <653705.47053.qm@web52405.mail.re2.yahoo.com> Hi, When I run bin\rancid-run - most of the times it dont send me mail. Though I knew I have changed some configuration in my router, but still it is not sending me mail after running rancid-run. Any issues??? Regards Adnan Get your preferred Email name! Now you can @ymail.com and @rocketmail.com. http://mail.promotions.yahoo.com/newdomains/aa/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090429/50c326be/attachment.html From oglumavd at gmail.com Wed Apr 29 14:59:43 2009 From: oglumavd at gmail.com (Oglum AVD) Date: Wed, 29 Apr 2009 07:59:43 -0700 Subject: [rancid] Re: Mail of diff not coming In-Reply-To: <653705.47053.qm@web52405.mail.re2.yahoo.com> References: <653705.47053.qm@web52405.mail.re2.yahoo.com> Message-ID: Adnan, Have you setup mail account? Have you defined these? 1. Edit Rancid Config /home/rancid/etc/rancid.conf LIST_OF_GROUPS="MyNetwork" 2. Email Configuration; apt-get install postfix Modify the as need it... /etc/postfix/main.cf removed; youremail at yourdomain.com, localhost.localdomain, localhost /etc/aliases rancid-MyNetwrok: youremail at domain.com,more at domain.com newaliases /etc/init.d/postfix restart 3. Create Cron Job. make sure add cron job under rancid account! crontab -e # run config differ hourly 1 * * * * /usr/lib/rancid/rancid-run crontab -l | to view cron jobs 2009/4/29 adnan shahid > Hi, > > When I run bin\rancid-run - most of the times it dont send me mail. Though > I knew I have changed some configuration in my router, but still it is not > sending me mail after running rancid-run. Any issues??? > > > Regards > Adnan > > ------------------------------ > New Email names for you! > > Get the Email name you've always wanted on the new @ymail and @rocketmail. > Hurry before someone else does! > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090429/5f84bff0/attachment.html From bmahaffey at pelco.com Wed Apr 29 15:08:43 2009 From: bmahaffey at pelco.com (Mahaffey, Brian) Date: Wed, 29 Apr 2009 08:08:43 -0700 Subject: [rancid] Re: Mail of diff not coming In-Reply-To: <653705.47053.qm@web52405.mail.re2.yahoo.com> References: <653705.47053.qm@web52405.mail.re2.yahoo.com> Message-ID: <4BBAF403456ED74981E7164ED3A4C224011E7EC9@CA-EVS02.pelco.org> Is your mail server running and properly configured? http://www.linuxselfhelp.com/quick/sendmail.html - This link helped me understand Sendmail and the options I needed to get it setup properly. http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch1_:_Network_Backups_With_Rancid ? This link helped me understand Rancid a little better. I would go through it step by step and validate you didn?t miss something. I seem to do this quite often when I am in a hurry. Hope this helps. From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of adnan shahid Sent: Wednesday, April 29, 2009 3:54 AM To: rancid-discuss at shrubbery.net Subject: [rancid] Mail of diff not coming Hi, When I run bin\rancid-run - most of the times it dont send me mail. Though I knew I have changed some configuration in my router, but still it is not sending me mail after running rancid-run. Any issues??? Regards Adnan ________________________________ New Email names for you! Get the Email name you've always wanted on the new @ymail and @rocketmail. Hurry before someone else does! - ------------------------------------------------------------------------------ Confidentiality Notice: The information contained in this transmission is legally privileged and confidential, intended only for the use of the individual(s) or entities named above. This email and any files transmitted with it are the property of Pelco. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you receive this communication in error, please notify us immediately by telephone call to +1-559-292-1981 or forward the e-mail to administrator at pelco.com and then permanently delete the e-mail and destroy all soft and hard copies of the message and any attachments. Thank you for your cooperation. - ------------------------------------------------------------------------------ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090429/c9a57513/attachment.html From Atif.SIDDIQUI at HydroOne.com Wed Apr 29 19:00:41 2009 From: Atif.SIDDIQUI at HydroOne.com (Atif.SIDDIQUI at HydroOne.com) Date: Wed, 29 Apr 2009 15:00:41 -0400 Subject: [rancid] Netscreen 'get chassic' Message-ID: <41BBAE5132ABA54BB2BA8716254F03D6017C9711@1104MILPEV.corp.hydroone.com> Anyone is able to capture ? get chassis? information for Netscreen SSG, ISG devices? Modified ?nrancid? script. ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090429/41e4f6c8/attachment.html From dmosuna at gmail.com Thu Apr 30 11:51:16 2009 From: dmosuna at gmail.com (=?ISO-8859-1?B?ROlzaXLp?=) Date: Thu, 30 Apr 2009 15:51:16 +0400 Subject: [rancid] Problem with CVS repository Message-ID: <6e5045cc0904300451t757466a4if821e625b9cd9092@mail.gmail.com> Hi, i've got a problem with CVS repository. In fact, I've got all my groups in /opt/rancid/var: rancid at debian:~/var$ ls Chatillon CVS cvsroot DataCenter Dr Etab logs Marseille Then for example in Marseille, i've got : rancid at debian:~/var/Marseille$ ls configs CVS router.db routers.all routers.down routers.up In configs, I've got all the configs of my equipements.It's ok. Then, if i go in /opt/rancid/var/CVS : rancid at debian:~/var/CVS$ ls Chatillon CVSROOT Datacenter Dr Entries.Log Etab Marseille Then, in Marseille, i've got rancid at debian:~/var/CVS/Marseille$ ls configs router.db,v In configs, I'got a directory called Attic and all the directories are in *****,v. But, when i access by web interface, and if i want to see the config of my equipements, it is written : Error: Marseille/configs/Attic/**** is not (any longer) pertinent And when i go to see in the logs when i've run it for the first time,it is written /opt/rancid/var/CVS/Marseille/configs/****,v <-- ***** new revision: delete; previous revision: 1.1.1.1 Deleted ****** and afterwards when re-running, it's written : cvs status: use `cvs add' to create an entry for `****' cvs add: Re-adding file `****' after dead revision 1.2. cvs add: use `cvs commit' to add this file permanently cvs added missing router **** cvs remove: removed `****' Deleted **** Can you guide me please to see where the problem come from. I've recently upgrade the version to 2.3.2a9. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090430/02cfa01d/attachment.html